Organizations these days are quickly moving towards achieving digital transformation through robust cloud-based systems. Protecting these applications through stringent online security with proper authorization and authentication has become complex and expensive.

Authentication and authorization are used for implementing security in your application, whether it is Web, Mobile, or Back-end service. So, let us dive deep into understanding the various scenarios where authentication and authorization are used.

1. What is Authentication?

Authentication is the process of identifying a user by obtaining user credentials and using those credentials to verify their identity. If the certificates are valid, then the authorization process starts. Therefore, the authentication process will happen first, followed by the authorization process.

To access most “things” on the Internet, you have to prove who you are by supplying credentials. However, once you authenticate, many decisions happen seamlessly in the background, thanks to the secret powers of an administrator.

Source: techdifferences.com

What is Authorization?

Authorization is the process of allowing authenticated users to access the resources by checking whether the user has access rights to the system. In addition, authorization helps you control access rights by granting or denying specific permissions to an authenticated user.

On the other hand, authorization occurs after the system successfully authenticates your identity, which ultimately gives you full permission to access the resources such as information, files, databases, funds, locations, and almost anything. In simple terms, authorization determines your ability to access the system and up to what extent. Once the system verifies your identity after successful authentication, you are then authorized to access the system’s resources.

Once you authenticate, you are then granted authorization or permissions to perform specific allowed tasks. So, an administrator of that system provides permission through the use of controls. What do we mean by allowed? An example would be authenticating to your bank website. Successful authentication will not give you the ability to look into other customer accounts or withdraw money that is not your own. Authentication does not give “keys to the castle”, as you are only authorized to access a room in the castle and not the moat.

2. What is the Difference Between Using Cookie, Session, And Token-Based Authentication?

A cookie is a string that is stored in your web browser. Often it contains a key that identifies you on the server. A session includes information on an authenticated user in the server stored in some way like a file or in-memory database.

In session-based authentication, the server will create a session after the user logs in. The session Id is then stored on a cookie on the user’s browser. While the user stays logged in, the cookie would be sent along with every subsequent request. The server can then compare the session id stored on the cookie against the session information stored in the memory to verify the user’s identity and respond to the corresponding state!

Many web applications use JSON Web Token (JWT) instead of sessions for authentication. The server creates JWT with a secret in the token-based application and sends the JWT to the client. The client stores the JWT (usually in local storage) and includes JWT in the header with every request. The server would then validate the JWT with every request from the client and send the response.

Let us set up an application where we will authenticate a user and learn how to secure our application so that no one can access our resources without our permission.

Step 1. In your terminal, write npm init -y; this will generate a boilerplate for your node application.

Step 2. Install all your dependencies on your terminal, do npm install express jsonwebtoken dotenv
Also, we will be installing nodemon as a dev dependency, npm install -D nodemon

Step 3. You will find package.json, which will have all the installed dependencies like nodemon, express, jsonwebtoken

Step 4. Now, let us set up a basic express server that will run our application code on Port 3000

Step 5. It is time to add some routes, so we are making a posts route that will give all the posts.

Here, we have created two routes, so the first route is to get all the posts present in our database; since we are not using a database, we will have created an object for the sake of this video. We will be protecting this route so that every user sees posts made by him and no other people posts.

Now, the second route is for a user who is logging in; here, we have created a token which we will send to the user, and every time a user tries to access a protected route, we would confirm if he had token which is valid and then only, he can access that route.

For that, we will be using middleware, so every time a user goes to a protected route, a user has to go through a function that will confirm his token, and if his identity gets approved, he will get access to the content.

This function must act like a middleware, which will verify users and if they are valid then only send them the response.

3. Conclusion

Whenever a user sees posts, we will first authenticate his identity. If he exists, then only he can have access to resources. In the above step-by-step guide, we have seen authentication using Json Web Tokens in Node.js (JWTs).

Feel free to ask any queries you may have while working on the same, and I will be happy to help you solve them.

4. About CloudThat

CloudThat pioneer in cloud consulting and training spheres since 2012 catering to the cloud consulting needs of big. small and medium-sized organizations across the globe (in 28+ countries) always believe in building a strong cloud ecosystem by disseminating knowledge through individual and corporate training enabling both experienced and fresh graduates alike.

5. Frequently Asked Questions

• What is authentication and authorization with example?

Authentication is a mechanism to verify whether a user is the one he/she claims to be and on the other hand authorization gives correct access privileges for a user such as administration access or user access or read-only access, write access, or read-write access to a resource. In simple words, in a college or an office you display your Identity card to prove that you are a student or an employee and this is authentication. Within college or office, you have certain privileges based on you are a student, principal, or professor, and such access rights is called authorization.

• What is the best description for two-factor authentication?

The best example of two-factor authentication is the way we log in to our mail account using a password and an OTP/ Code sent to our mobile phones.

• What are the 5 authentication factors?

Authentication factors are security credentials used to verify the identity and authorization of a user attempting to gain access to a network,  system, or application.  5 common authentication factors are:

1. Knowledge Factors
2. Possession Factors
3. Inherence Factors
4. Location Factors
5. Behavior Factors

WRITTEN BY Mukul Jain