Authentication & Authorization

Definitions

Authentication (AuthN)

  • The Goal: Identify Verification.
  • The Action: The system challenges the user to prove they are who they claim to be.
  • Common “Factors”: Something you know (Password)
    • Something you have (A physical key, or a code sent to your phone)
    • Something you are (Fingerprint or Face ID)
  • Result: You are “Logged In.”

Authentication (AuthZ)

  • The Goal: Access Control.
  • The Action: The system checks its internal rules to see what an already authenticated person is allowed to see or touch.
  • Common “Rules”:
    • Roles: “Us this user an Admin or a Guest?”
    • Permissions: “Does this user have the edit_billing permission?”
  • Result: You are “Permitted” or “Denied.”

Session

In the early days of the web, every time you clicked a button, the server “forgot” who you were. To fix this, we needed a way for the server t oremember you without making you type your password on every single page. This leads to 2 main ways of “remembering” a user.

Session-Based (The “Old School” / Internal way)

  • How it works: When you log in, the server stores your information (a “Session”) in its own memory and gives you a Session ID (usually stored in a Cookie).
  • The Catch: The server has to keep a huge list of everyone who is logged in, if you have millions of users, the server’s memory gets very full.

Token-Based (The “Modern / Cloud” way)

  • How it works: When you log in, the server (or a service like Auth0) gives you a Token (a piece of digital data).
  • The Benefits: The server doesn’t need to remember you. You carry the token with you. Every time you make a request, you show the token. The server just validates the token’s “signature” to make sure it’s real.