Scribd
Upload
2 views

Authentication & Authorization

The document explains the concepts of authentication and authorization in web security, detailing their roles in user identity verification and access control. It covers various methods such as sessions, cookies, JWT, tokens, SSO, and OAuth 2.0, highlighting their functionalities and security implications. The content aims to provide a comprehensive understanding of these key security mechanisms.

Uploaded by

realme.bpy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Authentication & Authorization

The document explains the concepts of authentication and authorization in web security, detailing their roles in user identity verification and access control. It covers various methods such as sessions, cookies, JWT, tokens, SSO, and OAuth 2.0, highlighting their functionalities and security implications. The content aims to provide a comprehensive understanding of these key security mechanisms.

Uploaded by

realme.bpy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

@MOHAMEDELLAITHY

AUTHENTICATION AND
AUTHORIZATION EXPLAINED
SESSION, COOKIES
JWT,TOKEN,SSO,
OAUTH 2.0
OVERVIEW
Authentication and Authorization are two key concepts in web
security that control user access to systems and resources.

Session Cookies

JWT SSO

Token oAuth 2.0

Authentication (Who You Are)


Authentication is the process of verifying a user's identity. It ensures that the
person accessing a system is who they claim to be.
Example: Logging into a website using a username and password, fingerprint, or
OAuth (Google/Facebook login).

Authorization (What You Can Do)


Authorization determines what actions or resources a user is allowed to access
after authentication.
Example: A user may be authenticated into a banking app, but only authorized to
view their own account and not others.
SESSIONS
Verify User
User Sign-In Credentials

Request Create Session

Session Token
Sent via
Secure Cookie

Backend Server

Session
request with Store
cookie

Data Request
data Verify Active
User Session

Sessions enhance security by maintaining server-


side control over authentication but can introduce
scalability challenges in distributed architectures.
COOKIES
User Sign-In Verify User Credentials
Request

Cookie

Backend Server

request with cookie

Data Request
data

Cookies store session IDs to keep users logged in.


Security features like HttpOnly and Secure help
protect against threats like hacking and CSRF.
JWT

JWT Authentication Flow


Client
Server

Login
Validate
email & password Creadentials

Authorization: Bearer Create and


Store JWT Sign JWT

GET / user
Validate
Authorization: Be
arer Signature

Data
TOKEN
User
Credentials

Authentication
Server
Access Token
and
Refresh token

Access Token /
Refresh token
Client
User
Resource
Resource / New Server
Access Token

Token-based authentication is a security


mechanism that allows users to verify their identity
using a token instead of traditional session-based
authentication. This method is commonly used in
REST APIs, mobile apps, and Single Sign-On (SSO)
systems.
SSO (SINGLE SIGN-ON)
device 1
applications

User
Single Sign-On (SSO)

device 2 b.com

Single Sign-On (SSO) is an authentication method


that allows users to log in once and access multiple
applications without needing to re-enter credentials.
It improves security and user experience, especially
in enterprise environments.
OAUTH 2.0
Client

OAuth 2.0 is an authorization framework that allows


users to grant third-party applications limited
access to their resources without sharing
passwords. It is widely used for SSO (Single Sign-
On), API access, and third-party authentication
(e.g., logging into an app with Google or Facebook).
@MOHAMEDELLAITHY

I HOPE YOU WILL


FIND IT USEFUL

FOLLOW ME FOR MORE


/in/mohamed-el-laithy-0155b2173/
/dev.to/mohamed_el_laithy

You might also like