DEV Community

Cover image for Authentication — the bare minimum
Ammar Raneez
Ammar Raneez

Posted on • Edited on

Authentication — the bare minimum

Authentication can be a complex topic, mainly because of the sheer number of various solutions and methods available. In this blog, I will discuss two popular ones and later blogs dive deeper into each and others.

Authentication is about verifying the identity of a user. For instance, when you login into an application using email/username & password, you are being authenticated to make sure that you are who you claim to be.


Is it Authentication Or Authorization?

A confusion currently in the tech community is on this topic. People use these terms interchangeably; some even say that there is no difference whatsoever.

Authentication & Authorization are not the same — I would even say that they are not even similar.

Authorization is all about access rights, or in simple terms, what permissions you have.

Let us look at an example (this may/may not be the actual procedure followed):

User A, a customer, logs into Amazon to purchase products. User B, an admin, logs into Amazon to remove products that have no more stock.

In the above example, User A can only purchase products; they cannot remove, while User B can purchase and remove them. This is the difference between Authentication and Authorization. Although User A has logged in and can purchase, they cannot remove them, this functionality is only allowed to be performed by an admin. In other words, User A has permission to only buy; User B has permission to buy and remove.


Types of Authentication

There are a couple of different ways that you could implement authentication into your applications — here are two of the more popular ones:

  • JSON Web Tokens (JWTs)

  • Sessions

JWT is a way of authenticating users and sharing information between two parties, particularly a client and a server. It’s a string of random characters that is an encoded form of user details. The client sends this token with each request to the server — where it verifies whether or not the provided token is valid.

  1. The user sends a login request to the server

  2. The server authenticates the login and sends a token to the user

  3. The user sends a new request with the provided token

  4. The server checks whether the token is valid or not and sends the requested pages to the user if it was valid

Sessions are also a way of authenticating users and sharing information between client and server. It is a container of user information generated and saved on the server. This session is sent to the user via a cookie, which is used to send new requests where the server verifies.

  1. The user sends a login request to the server

  2. The server authenticates the login and sends a cookie containing the generated session ID

  3. The user sends a new request with the provided cookie

  4. The server checks for the ID found in the cookie. If the ID is found, it sends the requested pages to the user

There are other methods as well, such as OAuth (Ex: Google, Facebook logins) and Authentication as a Service (Ex: Auth0, Cognito).


All in all, it can be a complex topic, but it does not have to be if learnt well. Keep growing!

Top comments (0)