EasyAuthentication📖 Theory Question

What is the difference between authentication and authorization?

💡

Hint

Authentication = who are you (identity); authorization = what are you allowed to do (permissions)

Full Answer

Authentication (AuthN) — verifying identity. "Who are you?"

  • Mechanisms: password, OAuth, SAML, biometrics, passkeys.
  • Output: a verified identity (user ID, claims in a JWT, session record).
  • Example: checking that a submitted password matches the stored hash.

Authorization (AuthZ) — determining permissions. "What are you allowed to do?"

  • Mechanisms: RBAC (Role-Based), ABAC (Attribute-Based), ACLs, scopes in OAuth tokens.
  • Input: the verified identity from authentication.
  • Example: checking that the authenticated user has the admin role before showing /admin.

On the frontend:

// Authentication check — are you logged in?
if (!user) return <Redirect to="/login" />;

// Authorization check — do you have permission?
if (!user.roles.includes('admin')) return <Forbidden />;

Key rule: never rely on frontend-only authorization checks for security. The server must enforce permissions on every request. Frontend checks are UX, not security.

More Authentication Questions

EasyWhat are the security differences between storing a JWT in localStorage vs an HttpOnly cookie?EasyWhat is refresh token rotation and why is it important?EasyWhat is OAuth 2.0 PKCE and when should you use it?EasyWhat is SSO (Single Sign-On) and how is it implemented on the frontend?

Practice this in a timed sprint →

5 free questions, no signup required

⚡ Start Sprint