What Is the Difference Between Authorization and Authentication?
As a NodeJS developer, there is a good chance you will create a login page. Along with the login page, you will probably have to determine what permissions each user has. To complete these tasks, you use authentication and authorization. These core concepts are fundamental to keeping web applications functional and secure.
In this tutorial we’ll:
- Explore how to authenticate users in Node
- Explore the concept of authorization in Node
- Learn the difference between authentication and authorization
By the end of this Node.js tutorial, you will have a clear understanding of how user authentication and user authorization work together to keep Node.js applications secure.
This tutorial is part 1 of 7 tutorials that walk through using Express.js to handle user authorization and authentication. In the process you’ll learn about creating and validating forms, and both session and JSON Web Tokens (JWT) authentication. This set of tutorials includes:
- What Is the Difference Between Authorization and Authentication? (this tutorial)
- What Are Form Validation and Sanitization?
- Process a User Login Form with ExpressJS
- How to Validate and Sanitize an ExpressJS Form
- What Is the Difference Between Sessions and JSON Web Tokens (JWT) Authentication?
- Set Up ExpressJS Session Authentication for Node Applications
- Authenticate Users With Node ExpressJS and Passport.js
Goal
Understand the difference between use authorization and user authentication and how they work together to secure web applications.
Prerequisites
None
What is authentication?
Authentication is the process of determining validity. In server-side web development, we often have to determine if a user’s credentials are valid. The most common process of user authentication is to assign each user a unique username and a secure password. The user will enter their username and password to log into a website. If the username and password match the information stored in a database, the user’s credentials are valid.
When you accurately enter your username and password, you are telling the application who you are. This is the process of authentication.
What is authorization?
If you are authorized to do something, you are allowed to do it. For example, a valid driver’s license authorizes you to drive. But not all drivers are given the same permissions. Endorsements, such as CDL, provide drivers with permission to operate additional types of vehicles.
Valid login credentials authorize you to access information and functionality. For example, when a user logs into their internet service account, they are given access to their account information such as account number, internet plan, and billing. If they also subscribe to a TV plan, they may also have access to view corresponding TV channels.
Server-side developers often write authorization code. This code will determine what the user has permission to see and do.
If a user has an account, they may gain access to the web application. But not all users are given access to the same information. There is some information that is specific to the user and some information that is specific to the user type. Examples of user types may be paid and unpaid. Many applications give basic usage for free to all registered users, and provide additional features to paid users.
User type may also get defined by the users’ position at a company. A manager may have access to information and functionality that their subordinates may not access. Accountants may have different permissions than sales agents. There are many ways that user types may be defined.
What is the difference between authorization and authentication?
Let’s say you are going out to a bar. There is a bouncer outside who checks your ID. When they compare your face to the picture, they are authenticating that you are the person on the ID. They then look at your birthday. Being over 21 authorizes you to enter the bar.
The authentication code will validate the user; then, the authorization code will give the user appropriate access. Authentication answers the “who?” while authorization answers the “what?”.
Authorization and authentication work together
As you can see, authorization and authentication work hand in hand, securing web applications. First, the user gets authenticated, then they are given authorization. The point of authenticating someone is usually to determine what they have the authorization to see and do.
Recap
When you log into a web application, you are telling the software who you are and what you are allowed to access. Authentication is the process of validating who the user is. Authorization is the set of rules that determine what a user can see and do. Authentication and authorization work together to secure applications, making sure only people with the appropriate permissions gain access to information and features.
Keep going with the next tutorial in this set: What Are Form Validation and Sanitization?.
Further your understanding
- What user types may log into the application you are working on?
- Can you think of an application that would have authentication, but not need authorization?
- What is multi-factor authentication?
Additional resources
- Multi-factor authentication in Auth0 (auth0.com)