Introducing authentication and authorization
Authentication and authorization are two concepts in web application security, often used together but with distinct purposes, as described in the following list:
- Authentication aka “who are you?” This is the process of verifying the identity of a user. When a user attempts to log in to an application, the system checks whether the credentials, for example, username and password, provided by the user match those stored in the system. Successful authentication confirms that the user is who they claim to be. Once authentication has occurred, a system often provides the client with a token that the client can submit with future requests to avoid having to re-authenticate each time. These tokens can be HTTP cookies, JSON, or some other format like JWT (JSON Web Tokens) that can encapsulate additional claims.
- Authorization aka “what can you do?” Once the user is authenticated, authorization determines what resources...