In today’s security-conscious world, every app—no matter how simple—needs to protect access to data. But before we get into tokens, security standards, or best practices, it’s crucial to understand two foundational concepts: authentication and authorization.
Note: This article belongs to Part 1.1: Identity & Access Management in our Application Security series.
Despite being used interchangeably (even by devs), they serve distinct purposes. Mixing them up can lead to flawed designs, security holes, or just plain confusion.
In our Application Security Series of blogs, This post lays the groundwork for the rest of this series by clearing up what these terms really mean—and why the distinction is essential for building secure apps.
While the two are closely related and frequently occur together, they serve fundamentally different purposes. In this article, we’ll explore their differences, understand how they interact in modern applications, and look at real-world implementations using Spring Security.
Authentication: Identifying the User
Authentication is the process of verifying a user’s identity. It answers the question: “Who is this user?”
In web applications, authentication typically involves credential validation—such as a username and password—or identity federation using an external identity provider (IdP). Upon successful authentication, the application receives a session or token that uniquely represents the user.
Common authentication methods:
- Email/password with multi-factor authentication (MFA)
- Social login (e.g. Google, GitHub) via OAuth/OIDC
- Biometric methods (face ID, fingerprint)
- Public key authentication for service-to-service calls
✅ Spring Security Example: OAuth2 Login
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.oauth2Login() // Enables OpenID Connect login
.and()
.authorizeHttpRequests(auth -> auth
.anyRequest().authenticated()
);
return http.build();
}
}
This sets up OpenID Connect login via a configured IdP (e.g. Google, Okta). After login, Spring Security creates a security context with user details.
Authorization: Controlling Access to Resources
Authorization determines what actions an authenticated user is allowed to perform. It answers the question: “Is this user permitted to do this?”
Authorization can be enforced based on:
- Roles (admin, user, moderator)
- Permissions or scopes (
read:users,delete:posts) - Attributes (department, resource ownership)
In distributed systems, it often uses access tokens containing claims or scopes that indicate the user’s permissions.
✅ Spring Security Example: Role-Based Access
@RestController
@RequestMapping("/admin")
public class AdminController {
@PreAuthorize("hasRole('ADMIN')")
@PostMapping("/create-user")
public ResponseEntity<?> createUser(@RequestBody UserDto user) {
// Only accessible to users with ROLE_ADMIN
return ResponseEntity.ok().build();
}
}
You can also control access via scopes (commonly used with OAuth2):
@PreAuthorize("hasAuthority('SCOPE_write:users')")
Technical Comparison Table
| Aspect | Authentication | Authorization |
|---|---|---|
| Purpose | Confirms the identity of the user | Determines access rights and privileges |
| Question | “Who are you?” | “Can you perform this action?” |
| Security Standards | OpenID Connect, SAML | OAuth 2.0, RBAC, ABAC |
| Artifacts | ID Token, Session Cookie | Access Token, Roles, Scopes |
| Spring Support | oauth2Login(), JWT decoder | @PreAuthorize, Scopes, Roles |
Implementation Flow: API with Token-Based Auth
Consider a Spring Boot REST API that handles user actions.
- User logs in via frontend using OIDC → receives
id_tokenandaccess_token - Frontend sends request to:
POST /api/users Authorization: Bearer <access_token> - Backend performs:
- Authentication → Validates the token’s signature, expiry, issuer
- Authorization → Checks token scopes or roles before allowing access
✅ Spring Security: OAuth2 Resource Server
@Configuration
public class ResourceServerConfig {
@Bean
public SecurityFilterChain resourceSecurity(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt() // Automatically parses and validates JWTs
);
return http.build();
}
}
Spring uses the JwtDecoder bean to decode and verify the incoming JWT, and then populates the SecurityContext.
Common Pitfalls to Avoid
- Using
id_tokento access APIs — This token is for identity only, not resource access. - Putting authorization logic in frontend code — Client-side checks are not secure.
- Over-relying on roles without fine-grained scopes — Leads to overly permissive access.
Key Security Recommendations
- Always validate JWTs on the server, including expiration, issuer, and audience.
- Use short-lived access tokens and refresh tokens where supported.
- Enforce authorization checks server-side using Spring’s
@PreAuthorize, method security, or a dedicated policy engine. - Use scope-based access for APIs, especially in multi-tenant or delegated access environments.
Conclusion
Authentication and authorization are core to secure application architecture, yet they serve distinct purposes:
- Authentication verifies identity — who the user is.
- Authorization defines access — what the user can do.
Modern applications rely on clearly defined boundaries between these processes, particularly when using federated login, microservices, or token-based security.
By understanding and implementing them correctly—especially using frameworks like Spring Security—developers can ensure robust access control and minimize risk across distributed systems.
Check out https://en.wikipedia.org/wiki/Authorization and https://en.wikipedia.org/wiki/Authorization Wikipedia links for more information on the current topic.
What’s Next
Up Next in our Application Security Series is:
Part 1.2 👉 How Session and Token Authentication Work (with Spring Security Examples)
We’ll examine the differences between session-based and token-based authentication, including:
- Pros and cons of each
- Stateless auth in RESTful APIs
- Best practices for SPAs and mobile apps using Spring Security and OAuth2
Have a Question?
If you’re working with Spring Security or designing authentication flows, feel free to share your questions or scenarios in the comments. I’d be happy to help or expand on specific use cases in future posts.
