User Authentication vs User Authorization: What Do They Mean in Back-End Web Development?
What they both are and why they are very important. Everything you need to know.
Data security is an integral part of the any online business out there.
No one wants to do business with any company with poor track record of data protection and security.
In the past decade, major data breaches have rocked some major tech companies in the world. Here are some of the most notable and devastating ones till date, according to CSO Online:
- Yahoo in 2013, a whooping 3 billion accounts where affected.
- LinkedIn in 2021, 700 million users we affected.
- Alibaba in 2019, 1.1 billion accounts were affected.
To build an online services that people can trust and engage with, there has to be heavy investment in securing the backend of the website or web application.
The Back-End is the part of a website which is hidden from the client user . The Back-End comprises of:
- The database: This is where user data is stored and managed.
- The application: This is the program which runs on the server and carries out the tasks needed to keep the backend working, such as validations, querying the database as well as packaging and sending back data to the client.
- The server: This is the computer where the entire server application is running on.
The website is also hosted on this computer. It receives request from the client. When building a web site, data can be stored in the Front-End and in the Back-End. None of this strategy is good or bad in itself.
There is nothing wrong with storing data on the Front-end. For example, if you are looking to create a simple static page which is going to display some static data on the web browser, then storing it on the Front-end is fine.
An example of this is a simple HTML file displaying static information on the web browser:
However, this is just a simple data. What if we were dealing with sensitive data?
As a user, imagine if your banking information, office location, home address, family information or some other kind of personal information was stored on the front web? Anyone can easily gain access to such data, and if the person is malicious, he will use such data to exploit you.
This is why user data is mostly stored on the Back-end. The Back-end is thus the only place where data is well secured from theft and exploitation, but for there to be an access to such data, there has to be user authentication and user authorization.
These two concepts play a huge role in how our Backend application operates in relation to a user.
To get a conceptual idea of these terms, let's use a bank as an example.
BANKING STAFF EXAMPLE
In the banking premises, supposing a female staff wants to gain access to a restricted area within a bank (that is, its backend), She has to go through two officers:
- The Authentication Officer
- The Authorization Officer
The Authentication Officer is charged with the task of making sure the staff is who she says she is.
This officer will verify every information the staff presents about herself to make sure they are true and valid.
On the other hand, the Authorization Officer checks the status or position of the staff and decides what offices to grant her access to.
If the staff is a cashier, for example, she may not have access to the top offices or sections within the bank.
An Executive Officer, on the other hand, may have access to every single office within the same building.
In other words, while Authentication is all about verifying the user, Authorization is about granting access and privileges to the user.
AN ILLUSTRATION OF USER AUTHENTICATION AND AUTHORIZATION
When you first navigate to a private page – Let’s consider three people: Jack and Jill and Joe and an arbitrary movie site:
Jack is from the US, Jill is from the UK and Joe is from Australia. Jack prefers Horror movies , Joe likes Sci-fi and Jill prefers a bit of drama.
They all navigate to mymovies.com/movies to watch some movies, but they are stopped. Why is that?
mymovies.com/movies is a restricted page. The Back-End doesn’t know the three of them because they don't have an account yet.
Since this is the first time all three of them are using the service, the movie platform needs to find a way to “remember them”. Hence, a sign-up form is rendered for all of them to fill out:
Here’s how Jack’s form will read in the end:
- Name: Jack Doe
- Password: IamJack
- Age: 23
- Country: US
- Preferred Genre: Horror
- Budget: $10/m
Here’s how Jane filled her form:
- Name: Jane Doe
- Password: IamJane
- Age: 45
- Country: the UK
- Preferred Genre: Drama
- Budget: $40/m
And here’s how Joe filled his:
- Name: Joe Doe
- Password: IamJoe
- Age: 30
- Country: Australia
- Preferred Genre: Sci-fi
- Budget: $10/m
All three of them submit their credentials and the Back-end signs them in. At a later time they all return to view some new movies. This is where Authentication and Authorization once again comes into play.
To grant each of the three users access, the Back-End has to make sure they are who they say they are. Hence, they are asked to supply some unique information for verification, this is usually their username and password. In other words, the back-end tries to authenticate them .
When this is submitted, Netflix takes this information to it’s database to confirm if those user data have an account which corresponds to the unique identification.
When all three of them are verified, they are all granted access to the same page: mymovies.com/movies. However, all three of them are presented with three different genres of movies:
Jack only receives Horror movies, Jane only receives Sci-fi and Joe only receives drama. How did this happen? This is basically what User Authorization is all about.
Remember that when the three users submitted their information to the platform while signing in, they also included their preferred genre. The Back-end then made sure that each of them were only authorized to access movies based on those genres.
Another scenario is that all of them chose the same genre, say Action for example. Jane and Jack receives a collection of 15 movies to choose from.
However, Joe receives only 12. Turns out that only users from the US and UK where authorized to access to the remaining three. This is another example of User Authorization in work.
Another scenario is that the user with a budget of $40/month and above will be authorized to access to all three genres. In such a case, Jane will be the only Authorized user to access all three sections.
This is how authorization works. Using the user information, the backend program decides who has access to what. And for those who do not qualify for a, there is some sort of blocking mechanism in place to restrict such users.
TYPES OF USER AUTHENTICATION
When trying to sign in to a web application, you will be asked to provide some unique identification, such as a password.
This kind of authentication is called Knowledge based Authentication. This is because your authentication is based on some knowledge which you possess. In most cases, this is your username and password. Sometimes it can be some secret and personal information like the name of your pet, your favourite colour or your mother’s name.
Another type of Authentication is Possession based Authentication. This type of Authentication is based on something you possess. An example of this is text-based authentication.
A secret code gets sent to your mobile phone number when trying to log in. Most banking applications tend to use this form of Authentication.
To ensure maximum security, some platforms use a combination of both these types of authentication for their web application. This is known as Two-factor Authentication.
Another type of Authentication is Third Party Authentication. In this case, the information is not obtained directly from the user, but from another platform with which that user is actively authenticated with.
For example, when trying to sign in or sign up to some web apps, you will be offered the option of signing in with your Google or Facebook account. What happens is that the platform which you are trying to sign into sends a request to the other platform, asking for your data. They will then use that data to authenticate and sign you in.
User Authentication and User Authorization are a core principles controlling how a user accesses content on the Back end web.
While Authentication is all about making sure the right user with valid credential is allowed in to use a service, Authorization is about determining what resources/sections/privileges a verified user will have access to.
I hope you got something useful from this post. If you have any questions or suggestions, you can leave them in the comments below or reach me on Twitter
YOU MAY ALSO LIKE
On a regular basis I post articles like this, so make sure to follow this blog so you don't miss an update.
Thank you for reading and see you soon.