Summary

Authentication proves who the user is. Authorization decides what that user or service is allowed to do.

Interview Points

  • AuthN: login, identity proof, sessions, tokens, MFA.
  • AuthZ: permissions, roles, policies, scopes, resource access.
  • OAuth is authorization; OIDC adds authentication.
  • Enforce authorization on the server, not only in UI.
  • Use least privilege and auditable access decisions.

2-3 Minute Interview Script

“Authentication and authorization are often confused. Authentication answers: who are you? Authorization answers: what are you allowed to do?

Authentication includes login, MFA, session management, and identity tokens. Authorization includes roles, permissions, scopes, policies, and resource-level access checks.

In frontend apps, the UI can hide buttons or routes for usability, but real authorization must be enforced by the backend. Otherwise a user can call the API directly.

In an interview, I would design auth by separating identity from permissions, using least privilege, and making access decisions auditable and consistent across services.”

Follow-Ups

  • Where should authorization be enforced?
  • RBAC vs ABAC?