Soren Learning

Chapter 1

Authentication vs. Authorization — The Twin Pillars of Security

SecuritySystemDesignWebDevZeroTrust
Listen to this article

I. Introduction: The Core Question

In the world of software engineering, we often hear "Auth" used as a blanket term. However, as a Senior Product Builder, you must distinguish between the two fundamentally different functions: Authentication (AuthN) and Authorization (AuthZ).

Mixing them up isn't just a terminological error—it's a structural vulnerability that can lead to catastrophic data breaches.

The Real-World Analogies

To understand the difference, let's look at two common scenarios:

  • The Airport: When you show your Passport at the security checkpoint, that is Authentication (proving who you are). When you present your Boarding Pass to the gate agent, that is Authorization (proving you have the right to board a specific flight).
  • The Nightclub: Showing your ID to the bouncer to prove you are of age is Authentication. Wearing a "VIP Wristband" that allows you into the private lounge is Authorization.

II. What is Authentication (AuthN)?

Definition: The process of verifying that a user or system is exactly who they claim to be. It is the "Identity Layer" of your application.

How it Works: The Three Factors

Users prove their identity by presenting credentials, categorized into three factors:

  1. Knowledge: Something you know (Passwords, PINs, or security questions).
  2. Possession: Something you have (One-time passcodes (OTP), physical security keys like YubiKey).
  3. Inherence: Something you are (Biometrics like fingerprints or facial recognition).

The Standard: OpenID Connect (OIDC)

In modern web architecture, AuthN is generally governed by OIDC. It sits on top of OAuth 2.0 to provide an identity layer, allowing clients to verify the identity of the end-user.

  • Token Type: AuthN systems issue ID Tokens (usually in JWT format) which contain claims about the user (name, email, etc.).

III. What is Authorization (AuthZ)?

Definition: The process of determining what an authenticated user is allowed to access or perform. It is governed by the Principle of Least Privilege, ensuring users only have the bare minimum access required.

Common Access Control Models

  • Role-Based Access Control (RBAC): Permissions are tied to predefined roles (e.g., Admin, Editor, Viewer). Simple to implement but can become rigid.
  • Attribute-Based Access Control (ABAC): A more dynamic approach evaluating attributes like "User Department," "Resource Type," and even "Time of Day."
  • MAC/DAC: Centrally defined blanket policies (Mandatory) versus owner-defined flexible rules (Discretionary).

The Standard: OAuth 2.0

OAuth 2.0 is the industry-standard framework for Authorization. It answers the question: "What can this application access on behalf of the user?"

  • Token Type: AuthZ relies on Access Tokens to delegate and prove permissions to protected resources.

IV. The Showdown: Key Differences

Feature Authentication (AuthN) Authorization (AuthZ)
Order of Operations Happens first Happens second (must be authenticated)
Visibility Highly visible (Login forms) Usually invisible (Background checks)
Control User-managed (Passwords) Admin-managed (Permissions)
Protocol OIDC OAuth 2.0
Primary Goal Identity Verification Access Management

V. Implementing Auth in Modern Architecture

As you move from monoliths to microservices, "Auth" becomes a complex distributed systems problem.

1. Monoliths vs. Microservices

In a monolith, checking permissions is a simple database join. In Microservices, authorization is challenging because data is fragmented.

2. Strategies for Microservice AuthZ

  • API Gateway Pattern: The gateway validates the token and passes user roles to downstream services via headers.
  • Centralized Authorization (Zanzibar Model): Pioneered by Google, this model uses a dedicated service to manage all relationship-based access checks (e.g., "Can User A edit Document B?").
  • Sidecar Pattern: Using a service mesh (like Istio) to handle policy enforcement at the network level.

3. Stateful vs. Stateless

  • Stateful (Sessions): Stored in a database/Redis. Offers immediate revocation but harder to scale globally.
  • Stateless (JWT): Cryptographically signed tokens. Extremely fast and scalable, but difficult to revoke before they expire without a "blacklist" mechanism.

VI. Conclusion: Toward Zero Trust

In a modern Zero Trust Architecture, we never "trust" a connection just because it's inside our network. Both AuthN and AuthZ must be continuously verified.

Strong Authentication prevents hackers from taking over accounts, while granular Authorization limits the "blast radius" if a breach ever occurs. For a Product Builder, mastering these two is not just about security—it's about building a foundation of trust that allows your product to scale safely.