About Authorization and Authentication

January 14, 2022

This week I feel a bit like Bob Morton, delving in to a lot of security concepts and not fully understanding what I’m in for.

It started with a desire to integrate a Drupal website with Google Analytics so that the site can display a list of popular resources. The Google Analytics data will be used to determine what’s popular. Google has an Analytics Reporting API, but getting access to the API is not easy. First, as with many systems, I had to have a project or ‘app’ that gets registered with the provider.

Once I registered my project with Google, I had to create a special service account within the project. This was not very clear. With many APIs, the assumption is I’m trying to access data associated with an account that I’ve created with that system. I’m trying to access my data. For some reason, Google’s default use case involves creating an app that will access other Google users’ data. In order to access your own data, a service account is needed. That service account will have an authorization key associated with it. That key is used to access the API.

But I was still not done. With other APIs I’ve used, I have a client ID and client secret that are passed to the API for authorization. The API returns a bearer token that I can use when making requests for data. With Google, the authorization request is performed using a JSON Web Token (JWT). Before this week I had never even heard of JWT. Constructing a JWT is not complicated in retrospect, but it does require specific software libraries. I could not figure out how to create a JWT in JavaScript without relying on a third party library that I don’t know if I can trust (not a good thing when dealing with information security). I used PHP instead, which provides openssl functions needed to sign the JWT.

Because everything you do online is tracked, YouTube started suggesting to me videos about JWT. So, last night while scrolling around to see what’s new, I tapped on a video from Web Dev Simplified titled "What Is JWT and Why Should You Use JWT". The very first part of the video was an eye opener. The video host explained the difference between authentication and authorization.

It makes sense that these are two different things, but I usually considered them synonymous. They are not.

The auth0.com website, which I also visited for information about JWT, provides a good, brief explanation on the difference:

“In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.”

I have much to learn when it comes to information security on the web. After receiving my orientation to JWT earlier in the week, I needed to solve the problem of securely storing the API key provided by Google for signing the JWT. That is an unfinished story.