Authentication & Authorization & Entitlements
Authentication
Authentication is the process of verifying the identity of a user or system. It ensures that the entity requesting access is who they claim to be. Common methods of authentication include:
- Passwords (very bad)
- Multi-factor authentication (MFA)
- Biometric verification
- OAuth tokens
- API keys
- Single Sign-On (SSO)
Authorization
Authorization is the process of determining what an authenticated user or system is allowed to do. It defines the permissions and access levels for different resources. Common authorization models include:
- Access Control Lists (ACLs)
- Role-Based Access Control (RBAC)
- IAM (Identity and Access Management) systems
- Policy-Based Access Control (PBAC)
- Policy as Code
Entitlements
Entitlements refer to the specific rights or privileges granted to a user or system after authentication and authorization. They define what actions can be performed on specific resources. Examples of entitlements include:
- Access a product catalog (invisible by default)
- See premium content
- See premium features
Why you need to know this?
Authentication
- Not all our services need to be public or customer facing.
- Whatever you have that is customer facing, must have authentication.
- Internal services don’t require any authentication.
Authorization
- It’s the next step after authentication.
- In security we can give granular access to resources. This principle is called least privilege.
- Authorization is checking if the user has the fine grained access to a resource.
Entitlements
- It’s common in digital products to have tiers of products. Such tiers can be called: basic, premium, silver, gold, platinum, free, pro, enterprise. But all these tiers are also called entitlements.
- Entitlements means, given the user subscription or plan, can they see some feature or not.
- Consider entitlements the way to tell what features a user can see or not. Do not confuse entitlements with feature flags or experiments.