Authentication & Authorization
First, let’s define what authentication and authorization mean:
Authentication is the process in which we validate that someone is who they claim to be. Usually you can authenticate by providing at least one of the following factors:
- something you know – a password or a pin
- something you have – a certificate or an RSA token
- something you are – finger print
Authorization is the process through which we check the permissions that someone has. Although this can be modeled in multiple ways, it can be viewed as a matrix with subjects per lines, resources per columns and actions in cells.
If we’re talking about API authorization, we need to also discuss about the delegated access model. The end user delegates access to his resources hosted on the web API to the client – the website. If we don’t want to pass the user’s credentials to the client and the APIs, then OAuth is a good choice. OAuth is an authorization protocol that can be used to enable limited access to private resources for 3rd party apps.