Tokens: the ‘I’m old enough to drink’ of web-based teens

--Originally published at tc2027 – Ce qui est chouette

In this post I’ll be dealing with the topic of Authentication and Authorization, and at the end of this post I’ll provide some examples and summarize some of the currently used solutions.

The difference

First, let’s deal with what both of these concepts refer to and what the difference between them is.

Authentication means verifying who someone is. This is what sign up and log in are for, the first one defines who you are, while the latter is where the authentication lies, in checking your user-id and password to match you with someone in the system; authentication answers the claim this is who I am with a yep, that’s who you are.

bouncers - fabio venni.jpg
Bouncers by Fabio Venni on Flickr under a CC License.

Authorization means verifying that someone has permission to perform an action. This refers to a certain user having or gaining access to a resource, this is usually done through the use of different types of user, e.g.AdministratorAnonymous Useretcauthorizations answers hey can I do this? with yep, you can or if it were an english teacher, can you? to which you would simply groan in disgust at this attempt at comedy.


One common way to handle both these processes is through the use of tokens. A token is a series of characters, usually encoded, that represent both to whom the token belongs—to which account it is linked—and what type of access this token has.

An implementation of tokens that I’ve used is JWT (JSON Web Token). JWT consists in three parts: header, payload, and signature. The first two are all base64 encoded and separated by a dot (.), the signature is a bit different, it consists in the following:

EncryptionAlgorithm(base64(  Continue reading "Tokens: the ‘I’m old enough to drink’ of web-based teens"