Summary
Authentication proves who the user is. Authorization decides what that user or service is allowed to do.
Interview Points
- AuthN: login, identity proof, sessions, tokens, MFA.
- AuthZ: permissions, roles, policies, scopes, resource access.
- OAuth is authorization; OIDC adds authentication.
- Enforce authorization on the server, not only in UI.
- Use least privilege and auditable access decisions.
2-3 Minute Interview Script
“Authentication and authorization are often confused. Authentication answers: who are you? Authorization answers: what are you allowed to do?
Authentication includes login, MFA, session management, and identity tokens. Authorization includes roles, permissions, scopes, policies, and resource-level access checks.
In frontend apps, the UI can hide buttons or routes for usability, but real authorization must be enforced by the backend. Otherwise a user can call the API directly.
In an interview, I would design auth by separating identity from permissions, using least privilege, and making access decisions auditable and consistent across services.”
Follow-Ups
- Where should authorization be enforced?
- RBAC vs ABAC?