Authentication vs. Authorisation

Today I learned more about the distinction between authentication and authorisation. I have probably thought of those terms as being synonymous with eachother and fulfilling the same needs. But I was wrong.

I have been writing a personal project that uses an API, accessing methods such as authenticateUser, authenticateToken, authoriseRequest etc. I took a step back and looked at my code. It clicked that when I wanted to authenticate something, I needed to prove the information I had been provided was verifiable. Here is some example pseudocode:

Client Request

username = 'bob';
timestamp = generateMicrotime();
sharedAppSecret = 'donttellanyone';
digest = username + timestamp + oneWayHash(sharedAppSecret);

# Send data to API endpoint
send(apiurl, headers[
  authentication: base64Encode(digest),
  username,
  timestamp,
]);

API Endpoint

sharedAppSecret = 'donttellanyone';
parseRequest(request);

recreatedDigest(parseRequest.username + parseRequest.timestamp + oneWayHash(sharedAppSecret));

if (parseRequest.authentication === recreatedDigest)
{
  # Request is authenticated
}

The general idea is the API Endpoint can authenticate the provided information from the client because the information is verifiable programmitically. So that code could mean a client can be authenticated. But it does not mean the user is authorised.

Authorisation would involve the client submitting the users details, which would be looked up in a user table in a database. That users permissions can then be verified and their level of authorisation can be determined.

As a front-end developer this can sometimes be taken for granted, as someone else has often developed the API you interact with or you do not control the authentication flow.