Authentication and Authorization – who and what into security
Integration is one of the main Architecture divisions and all of us who worked with Integration has had a chance to hear about Salesforce Authentication or Authorization process.
Many people are using those words interchangeably, however – do they have right?
We can call Authentication as WHO process. Authentication verifies who is the user accessing the system.
A simple example of authentication is username and password flow for your Salesforce account where Salesforce authenticates You as one of the user object records in the Salesforce org and automatically know about profile assigned to your user. When the security code is required – this is also part of the authentication process. The best practice is that system need to know user identity on login and before the user is trying to get some system resources.
We can call Authorization as WHAT process. Authorization verifies what resources user has access to.
After a user is successfully authenticated to the Salesforce org, Salesforce, based on some rules (Object Level Security, named credential etc.) determines which resources user have access to. Authorization determines your permissions whether you are the system administrator or you are the user who should get access only to account object.
The most common use case and the best practice is that Authentication is the process which executes before Authorization. Systems are checking who you are and then they can check to which resources you have access to.
ID Tokens vs Access tokens
Talking about differences between authentication and authorization require to talk about one of the main differences – tokens which are used for both of the methods. Both processes are using tokens which might look similar, but their purpose is completely different.
The ID Tokens are used in authentication and they contain information about the user identity. They include information if the user is authenticated and can include informations like username, photoURL or country.
Access Tokens are used in the authorization process to verify user access to specific resources.
I hope you already understand the difference between both processes. Let me give you another example to illustrate basic authentication and authorization flows. Let’s say you want to access your Salesforce application, so you need to proceed with some steps.
You need to provide credentials for your Salesforce account and login
This is Authentication
You’ve received notification on your smartphone to confirm your identity based on two-factor authentication.
This is also Authentication
You get logged in and you are authorized to see the main dashboard.
Now you want to open contact list view to show all contacts.
This is authorization
You are going to open one of the related objects to contact, but you have “insufficient privileges” notification.
This is also authorization
Please find MindMap which can be a reference for you to better understand and remember differences between Authentication and Authorization.
To fully secure your system, you should use both of them – authentication to understand Who is that user and then authorization to verify which resources are available for him.
Feeling the difference between Authentication and Authorization is extremely important during architecture preparation as those phrases can cause serious confusion.
Using them properly you will be perceived as security professionalist. 🙂