I have gone through 6 interviews till now, out of which I was asked about Authentication and Authorization in 4 of them. So, It is very important for you to have a clear understanding of this topic.
Now It's time to begin.
1. Authentication
Authentication is a process to check & identify a user against what he claims to be. For example, suppose you have a website and You have divided all Users into two categories.
- Admin User
- Customer
If a user visits your web, tries to log in as an admin then your web app checks if the user is an Admin. If Yes, then the user gets authenticated successfully otherwise it fails.
Similarly, If a user tries to log in as a customer then your web app checks if the user is a customer. If Yes, the user is authenticated as a customer else authentication fails.
Recall, what I said, it’s a process to check and identify a user against what he claims to be.
2. Authorization
Once a user is authenticated, authorization comes into play.
Authorization tells what part of the app can be accessed by a user, also up to what extent he can access it. Let's take an example to understand it better.
A customer can view and edit his details but can not view or modify the details of anyone else but an admin can view details of all the customers.
Note that even admin can not see passwords of users. Why? because he is not authorized to. That is why I told you earlier to consider up to what extent one can have access.
Another point
A customer can view his details including his cart of purchased items but he can’t modify the total cart amount. ( Imagine if we were allowed to modify our cart amount, then I would have purchased all products of Amazon for free).
Similarly, an admin can view users but not necessarily be allowed to modify their details.
Such restrictions are imposed by the programmer who developed the app.
So the conclusion is, Authorization allows us to restrict users from performing any action that isn't supposed to be done by him.
Summary
Authentication is done first then only Authorization comes into play.
Authentication is about identifying the user, Authorization is about imposing the restrictions on users.
Authorization tells which user can do what and what he/she will not be allowed to do.
If you got any questions or doubts, feel free to ping me on Twitter.
I hope it was a great read for you. If you have any feedback please share it in the comment below. Also, if you find it helpful, please like and hit the follow button on the right top corner.