Authentication and Authorization- Notes By ShariqSP
Understanding Authentication and Authorization
Authentication
Authentication is the process of verifying the identity of a user or system. It ensures that the entity claiming to be someone is indeed who they claim to be. Authentication typically requires credentials such as a username and password, biometric verification, or tokens.
Types of Authentication
-
Password-Based Authentication: The most common method where users provide a username and a password to verify their identity.
Example: Logging into an email account using an email address and password. -
Biometric Authentication: Uses unique physical characteristics like fingerprints, facial recognition, or retinal scans.
Example: Unlocking a smartphone using Face ID or a fingerprint scanner. -
Multi-Factor Authentication (MFA): Combines two or more verification methods, such as a password and a one-time code sent to a phone.
Example: Logging into a bank account with a password and a code sent to your phone. -
Token-Based Authentication: Uses tokens (e.g., JSON Web Tokens or session tokens) to verify identity.
Example: Accessing a web application where a server issues a JWT upon successful login.
Authorization
Authorization is the process of granting or denying specific permissions to an authenticated user or system. It determines what actions or resources a user is allowed to access.
Types of Authorization
-
Role-Based Access Control (RBAC): Assigns permissions to users based on their roles within an organization.
Example: A "manager" role having access to edit and view reports, while a "staff" role only has view access. -
Attribute-Based Access Control (ABAC): Grants access based on attributes like user, resource, or environment.
Example: A user can access documents only during working hours and from a company device. -
Discretionary Access Control (DAC): The owner of the resource determines access permissions.
Example: A file owner sharing specific files with selected colleagues. -
Mandatory Access Control (MAC): Access is granted based on predefined security policies.
Example: Classified information in a government system, where access is determined by security clearance levels.
Scenario Demonstrating Authentication and Authorization
Consider an employee accessing a company’s internal portal:
-
Authentication: The employee enters their username and password to log in. The system verifies the credentials and confirms the user’s identity.
Example: The login process ensures the employee is a legitimate user. -
Authorization: Once authenticated, the system checks the employee’s role and permissions to determine what resources they can access. For instance, a "HR manager" role may have access to employee records, while a "developer" role may not.
Example: The HR manager is allowed to view salary details, but a software developer is not.
Advanced Authentication Methods
Basic Authentication
Basic Authentication uses a simple approach where the user’s credentials (username and password) are encoded in base64 and included in the HTTP header for each request.
Example: Accessing a REST API by providing encoded credentials in the HTTP request.
Real-World Use: Testing APIs during development using tools like Postman or curl.
Bearer Authentication
Bearer Authentication uses a token, usually issued by an authentication server, to verify the user’s identity. The token is included in the Authorization header of HTTP requests.
Example: Accessing a secured endpoint of an API using a token like a JSON Web Token (JWT).
Real-World Use: Using OAuth2 access tokens to interact with APIs like Google Drive or GitHub.
OAuth 1.0
OAuth 1.0 is a protocol that provides a secure way for third-party applications to access a user’s resources without sharing credentials. It uses cryptographic signatures and includes both a client key and secret.
Example: An application accessing a user’s Twitter account to post tweets on their behalf.
Real-World Use: Legacy integrations with platforms that still support OAuth 1.0.
OAuth 2.0
OAuth 2.0 is an authorization framework that allows third-party applications to request limited access to a user’s resources via tokens. It simplifies OAuth 1.0 by removing the need for cryptographic signatures and offers various flows, such as Authorization Code Flow and Client Credentials Flow.
Example: A user granting an application permission to access their Google Calendar.
Real-World Use: Logging into websites using "Sign in with Google" or "Sign in with Facebook."