Authentication is the process of verifying the identity of a user.
- π Checks: Are you really the person you claim to be?
- π§ Think: Login System
- You log in to a website using email and password or Google account β You are authenticated.
| Type | Description |
|---|---|
| Password-based | Username + password |
| OTP-based | One-time password sent to phone/email |
| Biometric | Fingerprint, Face ID |
| OAuth | Login via Google, GitHub, etc. |
| Token-based (JWT) | Auth via access token after login |
Authorization is the process of verifying what access/permissions a user has after authentication.
- π Checks: Are you allowed to access this resource?
- π§ Think: Permissions, roles
- You're logged in (authenticated), but only admins can access the "Admin Dashboard". If you're not an admin, you're not authorized.
| Type | Description |
|---|---|
| Role-Based (RBAC) | Access based on user roles (admin, user, manager) |
| Attribute-Based (ABAC) | Access based on attributes like location, device, time |
| Permission-Based | Specific feature access given to user (e.g., read, write, delete) |
| Feature | Authentication | Authorization |
|---|---|---|
| β Meaning | Confirms user identity | Grants access rights |
| π Happens | First step | After authentication |
| π Example | Login with email/password | Admin can delete users, user cannot |
| π§ͺ Methods | Password, OTP, OAuth, biometric | Roles, permissions, policies |
| π― Focus | Who are you? | What can you do? |