Authentication and Authorization

Understand how our authentication flow works.

We'll cover the following

Flow summary

We have two types of users in our application:

  1. Administrators are responsible for handling the whole system. They upload and manage the different movies to be reviewed, and manage the users and their activities. Only users assigned the admin role or created as admins can do this.

  2. Movie reviewers are the users who view upcoming movies and review them. After downloading the application, they sign up and create a profile. They can only access the platform contents when they log in.

What are authorization and authentication?

Authentication and authorization are often used interchangeably, but in actuality, they differ. Authentication involves verifying who a user is. It’s the process of validating users through passwords, biometrics, pins, or some other identifying factor. It’s mostly done before authorization, and only authenticated users can go through the authorization process. On the other hand, authorization involves verifying what a user can access. It occurs after the authentication process. When a user is authorized, they have access to specific functionalities. Authorization is a way to control who accesses particular resources and restrict unwanted access.

Let’s take a look at this illustrative example real quick: In a law firm, there’s a kitchen for the senior partners and one for the junior partners. To access these kitchens, each employee uses a card, which grants the holder access to their respective kitchen. Thus, by swiping the card, the machine that allows access to the kitchen for junior partners checks to see what kind of partner wants to access that kitchen. This process is known as authentication. By authenticating a user, the machine checks whether the cardholder is a junior partner or a senior partner. Once the system has verified the user, the system can then go on to grant access. On the other hand, the process of checking if a user has the right to access specific content is called authorization. In this context, the machine checks to see if the user is a junior partner. If the user is indeed one, the machine grants access; but if the user is a senior partner, they’re not allowed into the kitchen.

Get hands-on with 1200+ tech skills courses.