this section is talking about user / client authentication and authorization in web
Authentication is a series of procedure to verify the user identity
- a school authenticates students by student cards
- a security system authenticates person by fingerprint
Web server also needs a way to find out who you are
-
authenticate user using Cookie
- a user agent has the user certificate in cookie
- the user visits a website with that cookie
- the website validates the cookie
- the website let the user in if certificate is valid
-
authenticate user using token
- the user certificate is represented by a token
- the user visits an web service using that token
- the web service validates the token
- the web service returns the result if certificate is valid
Authorization determine who is allowed to do what
- a teacher authorizes you to enter that room
- a company authorizes you to read secret data
We are talking about the 3rd party authorization here
- OAuth
- a user launches a facebook app
- the app redirects you to facebook page
- facebook asks you for authorizing the app to get your data
- the app gets a token if the user confirmed
- the app can access the user facebook data by access token