Authorization
Authorization is the process of determining what an authenticated identity is permitted to do within a system — which resources it can read, modify, or delete. It runs after authentication (which confirms who you are) and enforces…
Definition
Authorization is the process of determining what an authenticated identity is permitted to do within a system — which resources it can read, modify, or delete. It runs after authentication (which confirms who you are) and enforces access-control policies such as roles, scopes, or attribute rules on every subsequent request or action.
Overview
Authorization answers the question 'what are you allowed to do?' after authentication has already answered 'who are you?'. Systems typically implement it through models like role-based access control (RBAC), where permissions are grouped into roles assigned to users, or attribute-based access control (ABAC), where decisions depend on user, resource, and environment attributes evaluated at request time. OAuth 2.0 scopes are a common authorization mechanism for APIs, letting a token carry a limited set of permitted actions rather than full account access. Authorization checks belong on the server side, never solely in client code, because client-side checks can be bypassed. A well-designed system enforces authorization at multiple layers — API gateway, service, and database — to avoid a single point of failure. Common vulnerabilities arise from missing or inconsistent checks, such as insecure direct object references (IDOR), where an endpoint fails to verify that the requesting user actually owns the resource being accessed. Authorization is distinct from but dependent on authentication: a system must first establish identity reliably before it can apply permission rules to that identity. Session tokens, JWTs, and API keys typically carry both an authenticated identity and, often, embedded authorization claims (roles or scopes) that services use to make access decisions without a database round trip.
Key Concepts
- Runs after authentication, using the established identity to decide permitted actions
- Common models: RBAC (roles), ABAC (attributes), and ACLs (per-resource lists)
- Enforced server-side on every request, not just in UI logic
- Often expressed as OAuth 2.0 scopes or JWT claims for API access
- Applies at multiple layers: gateway, service, and data store
- Principle of least privilege limits default access to the minimum required
- Policy engines (e.g., OPA, Casbin) centralize authorization logic across services