Authentication vs Authorization: Two Pillars of Security (feat. JWT)
1. Introduction: "I Logged In, Why Doesn't It Work?"
Back when I was a beginner creating my first internal admin page, I proudly announced:
"Hey, I finished the login feature perfectly! Now anyone can log in and see the real-time sales data."
I expected praise, but my mentor's face turned pale.
"Hey! What if a summer intern logs in and sees the executive salary tables? Did you implement permission checks?"
I was confused and asked back:
"If they have the right ID and password and got in (Logged in), shouldn't they be able to see everything? Isn't that the permission check?"
That day, I learned the most fundamental and critical concept in security: the difference between Authentication and Authorization, in a very harsh way. Since their spellings are similar (Auth...), 9 out of 10 developers confuse them. Today, I will clearly distinguish them for you.
2. What I Didn't Understand Initially
My biggest confusion was thinking, "Isn't login itself granting permission?"
If you unlock your house door (Login/Authentication), you can open the fridge or watch TV (Authorization) as you please. So I thought websites worked the same way—once you're in, you're free.
But a web application is less like a house and more like a "Hotel" or a "Huge Corporation". Just because you passed the lobby (Login), doesn't mean you can freely enter the CEO's office or the server room (Specific Resources).
Also, the HTTP status codes 401 Unauthorized and 403 Forbidden drove me crazy. Why give 401 for "Unauthorized" and 403 for "Forbidden"? Aren't they the same thing?
3. The 'Aha!' Moment
The analogies that cemented this concept in my mind forever were "Airport Security" and "Hotel Key Card".
Analogy 1: Airport
-
Authentication = Passport Check
- Question: "Who are you?"
- Action: Matching passport photo with your face. If identity is verified, you can enter the airport.
- On Failure:
401 Unauthorized (I don't know who you are, get out).
-
Authorization = Boarding Pass Check
- Question: "Can you board this plane?"
- Action: Checking the boarding pass. We know who you are, but an Economy passenger cannot enter the First Class Lounge.
- On Failure:
403 Forbidden (I know who you are, but you can't come in here).
Analogy 2: Hotel
- Authentication: Checking in at the front desk and receiving a 'Key Card (Token)'.
- Authorization: Scanning the card in the elevator implies only 'My Floor' button works. (Cannot access other floors or the penthouse).
Applying this analogy made everything clear.
"Ah, Login is the process of getting the Key Card (Authentication), and Accessing the Admin Page is using that key to open a VIP room (Authorization)!"
4. Deep Dive: Technical Implementation (JWT & OAuth)
(1) Core of Authentication: JWT (JSON Web Token)
The most commonly used 'Digital Passport' in modern web is JWT.
A JWT consists of three parts using . as a separator: Header.Payload.Signature
- Header: "I am JWT. Using HS256 algorithm." (Metadata)
- Payload: "My User ID is 'user123', Role is 'admin'." (Actual Data)
- Signature: "This is not forged. Signed with my secret key." (Integrity Check)
The server issues this JWT upon successful login, and the client sends this token in the header with every request. The server only needs to verify the Signature to authenticate "Ah, this is definitely user123" without querying the DB.
(2) Core of Authorization: RBAC vs ABAC
How do we grant permissions to an authenticated user?
- RBAC (Role-Based Access Control): Most popular. Grants permissions based on "Role".
- Admin: access all.
- Manager: read/write.
- User: read-only.
- Easy to implement, but hard for fine-grained control like "Users can only edit their own posts."
- ABAC (Attribute-Based Access Control): More flexible but complex. Uses "Attributes".
- "Allow if Department is HR (User Attribute) AND Time is 9-18 (Env Attribute) AND File Tag is 'Salary' (Resource Attribute)."
- AWS IAM Policy is a classic ABAC style.
5. Practical Pitfalls
Mistake 1: Blocking only on Frontend (Client-Side Security)
The most common mistake. Thinking it's safe because you set isAdmin to false and hid the "Admin Button" in React.
Hackers don't look at the frontend UI. They poke the Backend API directly with curl or Postman.
You MUST check permissions again in the Backend API.
Mistake 2: IDOR (Insecure Direct Object References)
Logged in, but viewing someone else's data.
GET /orders/123 (My order) -> OK
GET /orders/124 (Someone else's order) -> Must Block!
If you only check "Is user logged in?" (Authentication) and skip "Is this user the owner of order 124?" (Authorization), you get hacked.
This is a famous and dangerous vulnerability that even Facebook had in its early days.
// BAD: Checks only Authentication
app.get('/orders/:id', ensureLoggedIn, (req, res) => {
const order = db.findOrder(req.params.id);
res.json(order); // Just shows Order 124 to User 123!
});
// GOOD: Checks Authorization (Ownership) too
app.get('/orders/:id', ensureLoggedIn, (req, res) => {
const order = db.findOrder(req.params.id);
if (order.userId !== req.user.id) { // Check Ownership
return res.status(403).send("Not your order.");
}
res.json(order);
});
6. Strategy in Microservices (MSA)
In MSA, Auth becomes trickier.
- API Gateway Pattern: Handle Authentication once at the entrance (Gateway).
- Gateway: "Passport (Token) verified. You are 'user123'." -> Forward to internal services.
- Individual Services: Trust the user info from Gateway and handle only Authorization.
- Order Service: "Oh, it's 'user123'? He can view his own orders." (Perform Authorization)
This avoids duplicating login logic in every microservice.
7. FAQ
Q1. Is OAuth 2.0 Authentication or Authorization?
Technically, it is an Authorization framework.
"I authorize this app (Client) to access my Google profile info."
However, practically, it is widely used as an Authentication means (Login with Google). (OpenID Connect was added to standardize this use case).
Q2. How to implement Logout?
Since JWT is stateless, the server can't "revoke" it once issued. So "True Logout" is hard.
- Method 1: Set short Expiration Time (15 mins).
- Method 2: Store "Logged-out tokens" in a Blacklist (Redis) and check against it. (This somewhat defeats the purpose of Statelessness).
8. Summary and Conclusion
Half of security incidents happen because these two concepts are confused.
- Authentication: "Who are you?" -> Verify Passport/Key Card -> Fail: 401.
- Authorization: "Can you do this?" -> Verify Boarding Pass/Access Rights -> Fail: 403.
Opening the front door (Authentication) doesn't mean you can open the safe in the bedroom (Authorization).
When developing, always remember the airport staff's line: "Do you have your passport (Authentication)? Now let me check your boarding pass (Authorization)."