I had a funny experience a while back where I had a manager who tasked me with adding security to the service we were working on. He did me the favor first of going into the code and adding the core classes I would need.
But our architectural direction was toward OAuth. So when I looked at the classes he’d created, I noticed they were all “Authenticate” or “Authenticated” names. Not “Authorize” or “Authorized” names.
Ouch. OK so he didn’t get the memo.
Then I moved to another team, and things were going swimmingly, until I got in an argument with my new manager about whether we were standing up an “Authorization” service or an “Authentication” service.
Sheesh. I guess great minds think — or don’t think — alike. History replicates itself in miniature.
Let’s be clear: OAuth is an *authorization* scheme, about allowing or disallowing access to resources and operations. It’s really about protecting data, and whether the owner of that data has authorized access to that data. Authentication is left as a “fill in the blank” step early in the process.
Authentication in OAuth is a moment in time — it’s a blip that happens early in the OAuth dance. The user supplies credentials, we validate them, and then we’re done with that. OAuth is not Basic Auth where, the client sends username and password every time. OAuth is the opposite of that. The client supplies credentials once, and if that’s OK, we get a token and don’t worry about it again.
In OAuth, the whole point is to provide an authorization scheme. That is, a client coming in to make a request is either authorized to make that request or not.
To use a metaphor, only people wearing Blue badges can get through this door. That’s the authorization process.
To further the badge metaphor, the guard at the front gate will check your driver’s license and the photo on your badge *once* to make sure you are you you say you are. That’s the authentication process.
After that you’re free to roam around where you badge authorizes you to go.
So I guess this post is for my *next* manager, anticipating the argument we’ll have over the difference between authentication and authorization in OAuth.