Authentication and Authorization- Notes By ShariqSP

Understanding Authentication and Authorization

Authentication

Authentication is the process of verifying the identity of a user or system. It ensures that the entity claiming to be someone is indeed who they claim to be. Authentication typically requires credentials such as a username and password, biometric verification, or tokens.

Types of Authentication

  • Password-Based Authentication: The most common method where users provide a username and a password to verify their identity.
    Example: Logging into an email account using an email address and password.
  • Biometric Authentication: Uses unique physical characteristics like fingerprints, facial recognition, or retinal scans.
    Example: Unlocking a smartphone using Face ID or a fingerprint scanner.
  • Multi-Factor Authentication (MFA): Combines two or more verification methods, such as a password and a one-time code sent to a phone.
    Example: Logging into a bank account with a password and a code sent to your phone.
  • Token-Based Authentication: Uses tokens (e.g., JSON Web Tokens or session tokens) to verify identity.
    Example: Accessing a web application where a server issues a JWT upon successful login.

Authorization

Authorization is the process of granting or denying specific permissions to an authenticated user or system. It determines what actions or resources a user is allowed to access.

Types of Authorization

  • Role-Based Access Control (RBAC): Assigns permissions to users based on their roles within an organization.
    Example: A "manager" role having access to edit and view reports, while a "staff" role only has view access.
  • Attribute-Based Access Control (ABAC): Grants access based on attributes like user, resource, or environment.
    Example: A user can access documents only during working hours and from a company device.
  • Discretionary Access Control (DAC): The owner of the resource determines access permissions.
    Example: A file owner sharing specific files with selected colleagues.
  • Mandatory Access Control (MAC): Access is granted based on predefined security policies.
    Example: Classified information in a government system, where access is determined by security clearance levels.

Scenario Demonstrating Authentication and Authorization

Consider an employee accessing a company’s internal portal:

  1. Authentication: The employee enters their username and password to log in. The system verifies the credentials and confirms the user’s identity.
    Example: The login process ensures the employee is a legitimate user.
  2. Authorization: Once authenticated, the system checks the employee’s role and permissions to determine what resources they can access. For instance, a "HR manager" role may have access to employee records, while a "developer" role may not.
    Example: The HR manager is allowed to view salary details, but a software developer is not.

Advanced Authentication Methods

Basic Authentication

Basic Authentication uses a simple approach where the user’s credentials (username and password) are encoded in base64 and included in the HTTP header for each request.

Example: Accessing a REST API by providing encoded credentials in the HTTP request.
Real-World Use: Testing APIs during development using tools like Postman or curl.

Bearer Authentication

Bearer Authentication uses a token, usually issued by an authentication server, to verify the user’s identity. The token is included in the Authorization header of HTTP requests.

Example: Accessing a secured endpoint of an API using a token like a JSON Web Token (JWT).
Real-World Use: Using OAuth2 access tokens to interact with APIs like Google Drive or GitHub.

OAuth 1.0

OAuth 1.0 is a protocol that provides a secure way for third-party applications to access a user’s resources without sharing credentials. It uses cryptographic signatures and includes both a client key and secret.

Example: An application accessing a user’s Twitter account to post tweets on their behalf.
Real-World Use: Legacy integrations with platforms that still support OAuth 1.0.

OAuth 2.0

OAuth 2.0 is an authorization framework that allows third-party applications to request limited access to a user’s resources via tokens. It simplifies OAuth 1.0 by removing the need for cryptographic signatures and offers various flows, such as Authorization Code Flow and Client Credentials Flow.

Example: A user granting an application permission to access their Google Calendar.
Real-World Use: Logging into websites using "Sign in with Google" or "Sign in with Facebook."