Authentication vs Authorization

Why It Matters

The distinction between authentication and authorization is the single most important concept in API security. The majority of critical API vulnerabilities stem from confusion between these two concepts or failures in one while the other works correctly.

Consider a building analogy: authentication is the security guard checking your ID badge at the entrance. Authorization is the access card system that determines which floors and rooms you can enter. A building that checks IDs at the door but gives everyone access to every room has authentication without proper authorization. This is exactly what happens in most BOLA/IDOR vulnerabilities.

In the OWASP API Security Top 10, three of the top five categories (API1, API3, API5) are fundamentally authorization failures, while API2 covers authentication failures. Understanding this distinction is the key to finding the most common and impactful API bugs.

Authentication in Practice

How Authentication Works

Authentication verifies identity through one or more factors:

• Something you know: passwords, PINs, security questions
• Something you have: tokens, smart cards, mobile devices (used in two-factor authentication)
• Something you are: fingerprints, facial recognition, biometrics

In APIs, authentication typically produces a token (JWT, session cookie, or API key) that the client sends with subsequent requests. The server validates this token on each request to confirm the user's identity.

Common Authentication Failures

• Tokens that never expire, allowing permanent access from a stolen token
• Password reset flows with predictable or reusable tokens
• Logout that only clears the token client-side without invalidating it server-side
• Missing rate limiting on login or OTP endpoints, enabling brute force attacks
• Weak token generation that allows prediction or replay

Authorization in Practice

How Authorization Works

After authentication confirms identity, authorization determines permissions. Authorization models include:

• Role-Based Access Control (RBAC): permissions assigned to roles (admin, user, editor); users inherit role permissions
• Attribute-Based Access Control (ABAC): permissions based on user attributes, resource attributes, and environmental conditions
• Object-Level Authorization: verifying that the authenticated user owns or has access to the specific object being requested

Common Authorization Failures

• Missing object-level checks (BOLA/IDOR): the API verifies login but not resource ownership
• Missing function-level checks: regular users calling admin endpoints
• Mass assignment: the API accepting role or permission changes from user input
• Privilege escalation: users elevating their own permissions through API manipulation

Testing Authentication and Authorization

When testing APIs, security professionals evaluate both layers independently:

Authentication tests: Can tokens be reused after logout? Do they expire? Can password reset tokens be predicted? Is there rate limiting on login? Are old sessions invalidated after password change?

Authorization tests: Can User A access User B's data by changing an ID? Can a regular user call admin endpoints? Can the user add privileged fields to request bodies? Does the API return more data than the user's role should see?

The most impactful bugs occur at the intersection: an API that correctly authenticates users but fails to authorize their access to specific objects or functions.