Authorization technologies in a nutshell

JWT and OAuth2 explained in 10 minutes.

Photo by Helena Lopes on Unsplash.

Authorization is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular.”

Authentication is the act of proving an assertion, such as the identity of a computer system user.”

This is important to understand because it implies that whatever authorization technology you use you’ll need to use another technology for authentication supplementary to authorization.

Authentication is not part of this blog post. However as a reference for further reading there is e.g. the authentication technology OpenID Connect. OpenID Connect can be used with JWT as well. Refer to e.g. this video course to learn about how to use OpenID Conncet with JWT.

A little bit of history… do not use user/e-mail + password based authorization! But “(h)ow can I let an app access my data without giving it my password?”. Use e.g. OAuth2 instead.

Watch this approx. 1 min video to get the big picture about JWT.

Watch this approx. 6 1/2 min video to get the big picture about OAuth2.

If you have to explain someone how an OAuth2 exchange works use the hotel key analogy:

  • The hotel guest (application) requests access to the hotel room (resource) at the hotel reception (authorization server) via their personal ID. The hotel guest get’s the hotel keycard (access token) from the hotel reception.
  • Whenever the hotel guest wants to access his room he needs to insert the hotel keycard into the hotel door lock (resource server). The door lock does not care about your name or an password. It justs care about the hotel key card.
How to explain OAuth2 to non-IT people: “hotel key card analogy”.

To learn more about OAuth2 in the development context head over to the code section of the official website and check out a video course like “The Nuts and Bolts of OAuth 2.0” (covers OpenID Connect and JWT as well) by Aaron Parecki (OAuth Expert) which is heavily involved in OAuth.

To learn more about JWT in the development context head over to the official introduction and check out a video course like “OpenID Connect & JWT: Identity as a Service for your app”.

Software Developer for rapid prototype or high quality software with interest in distributed systems and high performance on premise server applications.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store