When talking about auth, it's easy for early developers to get confused about what the differences are between authentication and authorization. The two are spoken about interchangeably, but they actually mean two completely different things. In this article I'll break down what each term specifically pertains to, and why each is important to implement in you applications. I'll also show how I recently implemented auth in my most recent app.
Authentication
Authentication is the process of verifying wether or not a user a user is who they claim to be. This is done by obtaining some sort of credentials and using those credentials to verify the user’s identity. The are multiple methods that you can use to authenticate users, like a simple username or password combination, captcha tests, or 2FA (two-factor authentication). If the user's credentials prove to be valid, the authorization process can be implemented. The authentication process always proceeds to Authorization process.
Authorization
Authorization is the act of giving a user permission to access specific functions and resources in your application. After a user is successfully authentication, authorization determines their ability to access you system and up to what extent. There are plenty of ways that uses can be authorized, wether it is solely on your website or application, or by using third parties like google or facebook to enable features accessing things like the user's contacts or calendars.
In my most recent application I used google to authenticate and authorize users. This is a super common practice where the user is redirected to google, google validates that the user is who they say they are, and gives them a one of a kind auth code. The user then returns to your application with the auth code to be authenticated, and you can exchange the auth code for an access token from google. This in turn can grant your application access to user information like calendars or contacts. You can easily use google for auth in your app by registering a project in the google dev console, and in turn have them authenticate users by using their pre-existing google accounts. This in turn can allow you to easily implement OAuth 2.0, which is seemingly becoming the standard when it comes to user authorization.
//function to sign in with google auth
const googleSignIn = async () => {
try {
const { type, user, accessToken } = await Google.logInAsync({
iosClientId: IOS_AUTH_KEY,
androidClioentId: ANDROID_AUTH_KEY,
scopes: ["profile", "email"]
})
if (type === "success") {
//key values to add to the userInfo global state
axios.get(`${AXIOS_URL}/users/${user.email}`)
.then(res => setUserInfo(userInfo => ({
...userInfo,
signedIn: true,
username: user.username,
email: user.email,
photoUrl: res.data.photo,
id: res.data.id
})))
.catch(error => console.log('failed to find user', error));
}
} catch (error) {
console.log(error)
}
}
The function about is how I used google with expo to authenticate users in my react native app. If you ever find yourself building a mobile application, I would highly recommend checking out expo with react native. They have a ton of APIs built in, many of which can streamline the auth process. As you can see from the code above, with the help from expo I was able to authenticate and authorize in one relatively easy function. After registering my app with google I was given auth keys for both android and iOS users. Once the user was authenticated, google would then return an access token grating access to the users profile and email address which we could instantly save and use on our application. Streamlined auth like this is not only easy to implement, but also make for a much simpler user experience.
To break it down as simple as possible, authentication means confirming your own identity, while authorization means granting access to the system. Authentication is the process of verifying who you are, while authorization is the process of verifying what you have access to. Hopefully this helps in understanding the differences between the two, but also why they are important and usually spoken of together.
Top comments (2)
There's a typo on the title! But nice topic for beginners
Thanks for the explanations! Very helpful.