Open in app

Sign in

Write

Sign in

Authentication & Authorization.

Abinash Panda
3 min readJan 23, 2020

To build a software application we must have to consider security measures to keep our users safe that’s why we need to know about how to validate a user and to check is the user has the right to perform a particular action.

Authentication and authorization sound very similar but it is not. In simple terms, Authentication means that is the user is telling who the person is by giving some credentials and Authorization means the person has the right to do that particular action.

Ex. of authentication: You want to access your social media account but before it gives you any access it authenticates you by your ‘username’ and ‘password’.

Ex. of authorization: After Logging in you want to delete two posts one is from you and others are from a different person in that case you are authorized to delete your post but you are not authorized to delete someone else post.

So after you authenticate the user then you can authorize the user in the upper example after a user successfully gives his credentials then the person can dele or create a post.

In a web app, we can authenticate a user in different ways here are 3 commons used implementation each one has their own advantages and disadvantages.

session-cookie:

In this method, when a client login with its credentials then the server checks it with the database if it is the right credentials it will create a temporary season id and send it to the client using a Set-Cookie header and every time. When a user logs out it will clear the cookies and session id.

Ex. of a cookie

196=iN8baL_KFqynW8B8xTAqbAniF8rY9H4MErH-m2zGUCTJm2FZO8ezzcC0j6Eg710iXJgieGnwUm1qGlBLeOLF8jBBdvNaxvqkB1EM818mYkS97ArwpNNlKCMTbo2DKM_vp7OAXgUcbkIRdk6yykXUXBGVQal1b1k60VRryVeWAVXV-EZtW1p2YFwXX2nazS2kfRdaUZISt-jD1KUOEJ9c-SBC4weikAegu4gZCaA7Mcs

Advantages:

  • The third-party can’t access the data.
  • Only the server can map back to data.
  • you can protect it by adding flags.

Disadvantage:

  • Session id must be stored on the server-side.
  • Single point of failure if DB is crashed all users need to log in again.
  • In a modern browser, one site can store up to 50 cookies max size is 4kb.

JWT :

JSON Web Token is introduced in 2010 in the token method when the user login with credentials server checks it if it is correct then the server generates a token with user credentials and stores in client-side either in local storage or session storage.

Advantage:

  • reduce the uses and storage of DB.

Disadvantage:

  • it is stored in plain text.
  • only can be removed explicitly.

Ex. of a JWT

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.InCHb8-wiuAwGAjDK_WTJlNSJxF55oNZv2-EPlD6Lvs

A JWT contains the header, payload and signature and dots to separate. when it decoded its looks like this.

header {
 “alg”: “HS256”,
 “typ”: “JWT”
}payload {
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
verify signature HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  
)

Oauth:

Open authorization is a protocol that is commonly used in mobile apps and web apps in this scenario you don’t need to create an account to use a service but you need an existing Oauth provider account ex. Google, Facebook, twitter.

status code:

  • 401 unauthorized which means you are failed to verify the credential.
  • 403 forbidden you don’t have authority to that request.

Thanks for reading.

Server
Authentication
Authorization
Programming

--

--

Abinash Panda

Written by Abinash Panda

2 Followers

Better Then Yesterday

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams