- Published on
Authentication vs. Authorization
- Authors
- Name
- Rosa Tiara
Introduction
The term authentication comes from the word authentic, which is about being real, while authorization is derived from the word author, someone who has the power to approve. From those derivations, let's take a deeper look into what these terms mean in the context of security systems!
Authentication
Authentication is the process of verifying who you are. It's the system asking:
Can you prove your identity?
Common methods
- Email + password
- OTP or magic link
- Face ID or fingerprint
- OAuth login (Google, Apple, etc.)
After you're authenticated, the system knows your identity. However, at this stage, it doesn't care yet about what you're allowed to do.
Authorization
Authorization happens after authentication. It is about granting that verified user access to particular actions or resources. It basically answers the question:
Ok, now I know who you are. What are you allowed to access?
Examples
- Admin vs regular user access
- Access to certain API routes
- Role or permission checks
- Controlling access to files, pages, or features
Even if you're a valid user, you don't automatically get access to everything.
Real-world analogy
| Authentication | Authorization |
|---|---|
| You go into a hotel, show your ID to the receptionist, and they verify it to confirm your identity. | After that, the receptionist gives you a room card that only unlocks your assigned room. You can't open other guests' rooms or access staff-only areas unless you're authorized. |
Examples in Mobile Development
Authentication (logging in)
These code confirm identity of the email and password fetched to the system. If the identity exists, it will give use an access token, which is the proof of authentication.
Flutter Implementation (Dart)
Future<String?> authenticateUser(String email, String password) async {
final response = await http.post(
Uri.parse("https://api.example.com/auth/login"),
body: {
"email": email,
"password": password,
},
);
if (response.statusCode == 200) {
final data = jsonDecode(response.body);
return data["accessToken"];
}
return null;
}
iOS Implementation (Swift)
func authenticateUser(email: String, password: String, completion: @escaping (String?) -> Void) {
let url = URL(string: "https://api.example.com/auth/login")!
var request = URLRequest(url: url)
request.httpMethod = "POST"
let body = ["email": email, "password": password]
request.httpBody = try? JSONSerialization.data(withJSONObject: body)
URLSession.shared.dataTask(with: request) { data, _, _ in
guard let data = data,
let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any],
let token = json["accessToken"] as? String else {
completion(nil)
return
}
completion(token)
}.resume()
}
Authorization (accessing protected resources)
In these examples, we are checking the token for permissions. Even if the user is authenticated, they might not be authorized.
Flutter Implementation (Dart)
Future<List<dynamic>?> getAdminData(String token) async {
final response = await http.get(
Uri.parse("https://rosatiara-api.example.com/admin/data"),
headers: {
"Authorization": "Bearer $token",
},
);
if (response.statusCode == 200) {
return jsonDecode(response.body);
} else if (response.statusCode == 403) {
throw Exception("You are not allowed to access this resource.");
}
return null;
}
iOS Implementation (Swift)
func fetchAdminResource(token: String, completion: @escaping (Data?) -> Void) {
let url = URL(string: "https://rosatiara-api.example.com/admin/data")!
var request = URLRequest(url: url)
request.httpMethod = "GET"
request.setValue("Bearer \(token)", forHTTPHeaderField: "Authorization")
URLSession.shared.dataTask(with: request) { data, response, _ in
if let httpResponse = response as? HTTPURLResponse, httpResponse.statusCode == 403 {
print("Not authorized to access this resource.")
completion(nil)
return
}
completion(data)
}.resume()
}
Final Takeaways
In summary, the system always authenticate first, then authorize. Authentication proves identity, while authorization controls what you can do.
Hope this helps! Happy learning! ᕙ( •̀ ᗜ •́ )ᕗ