Understanding Authentication vs Authorization: From Basics to JWT & Casbin

Authentication vs Authorization

Authentication verifies the identity of a client (who you are). Authorization determines whether an authenticated client is permitted to perform a specific action on a resource (what you can do).

Definitions

Authentication : Proving that an identity is correct.

Authorization : Granting permission to perform a specific action.

An API may authenticate a request but still deny it if the user is not authorized for the requested operation.

Authentication

Typical authentication methods include:

Username / password (single‑factor)

Two‑factor authentication (2FA) – e.g., password plus a one‑time code or PIN.

Multi‑factor authentication (MFA) – two or more independent factors such as something you know, something you have, and something you are.

Authentication Factors

Knowledge factor : Something the user knows (password, PIN).

Possession factor : Something the user has (hardware token, smartphone app).

Inherence factor : Something the user is (biometrics, fingerprint).

JWT Authentication Overview

JSON Web Tokens (JWT) are a widely used stateless authentication mechanism, especially in Java ecosystems. The token consists of three Base64Url‑encoded parts: header, payload, and signature. The signature acts as a Message Authentication Code (MAC).

Signing Process

User sends username and password to the authentication server.

Server validates the credentials.

Server generates a secret key (shared only with the server).

Creates a JWT header (e.g., {"alg":"HS256","typ":"JWT"}) and a payload that typically contains sub (user ID) and exp (expiration timestamp).

Encodes header and payload with Base64Url.

Computes the signature using

HMAC‑SHA256(secretKey, Base64UrlEncode(header) + "." + Base64UrlEncode(payload))

.

Server returns the token in the form base64Url(header).base64Url(payload).signature.

Client includes the JWT in the Authorization: Bearer <token> header for subsequent API calls. The token serves as a temporary credential.

Authorization

Authorization checks whether an authenticated identity has permission to access a specific resource such as a file, database record, or service endpoint. Access is granted only after a successful authorization decision; otherwise the request is denied.

Casbin Authorization Overview

Casbin is an open‑source access‑control library that supports multiple models (ACL, RBAC, ABAC, etc.). It separates the policy definition from the enforcement logic.

Key capabilities

Customizable request format; default request is {subject, object, action}.

Core concepts: model (defines the access‑control structure) and policy (stores the rules).

Supports multi‑level role inheritance for both subjects and resources.

Super‑user support (e.g., root or Administrator) that bypasses policy checks.

Built‑in matcher functions such as keyMatch for path‑based resource patterns (e.g., /foo/bar matches /foo*).

Summary

Authentication (who you are) and authorization (what you can do) are distinct but complementary security mechanisms. Understanding their differences enables developers to implement robust, stateless authentication with JWTs and fine‑grained access control using frameworks like Casbin.