Skip to main content

Authorization, Authentication and Routing endpoints

Basic Definitions:

Let's start this off with basic definitions

Authorization: is when determine if the authenticated user has the privileges to access a certain resource or API.

Authentication: is when we verify the user's identity.

 

Authentication

Workflow

Naturally, authentication precedes authorization, the flow usually goes like this : 

  • Browser  ----------[Username & Password]---------> Server 
    Here we assume that the user registered and is now attempting to log in by sending his credentials, it can be a phone number and a password, an email and a password .. etc.
  • Browser  ----------------------------------------------------- Server [ authenticating ... ]
    Here, we the server performs authentication by comparing the username and password to the stored credentials 
  • Browser  <----------------[Access Token]--------------- Server 
    After successfully authenticating the client, the server returns an access token to the client(Usually JWT)
  • Browser  ----[Request details & Access Token]--> Server 
    The client will embed this token in each subsequent request in the authorization header like so: Authorization: Bearer ${token}

Authorization - Multiple types of users and Privileges

In many cases, there is more than one type of user in the application with different access privileges.  a part of our API might look somewhat like this:

	"api" { 
		"admin" {
			require(Privileges.Administrator) // here we guard the route with admin privilege
			"staff_info" {
              	..
          	}
        }
        
        "normal_user" {
          	require(Privileges.Administrator, Privileges.User) 
            // we guard the route with user privieleges and admin privileges 
			// "other" type of user cannot access this route
         	"profile_info" {
             	..
            }
        }
        
        "other_user" {
        	require(Privileges.Administrator, Privileges.OtherUserType) // normal user cannot access this
            "info" {
            	..
            }
        }
        
    	"file" {
          	require(Privileges.JWTAuthenticated) // any authenticated user can upload a file
          	"upload" {
				..
            }
        }
	}


What's in the Token?

What we care about in the JWT is the body, which usually contains: 

  • a user identifier
  • user privileges ( in the case of the system having multiple user types )
  • other information 

Some sources discourage putting sensitive information in the token as it can be read by anyone. If security is a concern, there are other options you can go with i.e using opaque tokens, phantom tokens .. etc.


Back to top