Authorization Academy

I: What Is Authorization?

Authorization is a critical element of every application, but the problem is: there’s limited concrete material available for developers on how to build authorization into your app. To help developers build these systems and features, we built Authorization Academy.

Chapter I: What Is Authorization?

Authorization is the mechanism for controlling who can do what in an application, and for making sure users have access to the right data. It’s a critical element of every application, but it's nearly invisible to users. It's also usually unrelated to the core features that you're working on. If you’re like most development teams, you want to spend only as much time as you need to spend on authorization – and not a moment more.

The problem is: there’s limited concrete material available for developers on how to build authorization into your app. To help developers build these systems and features, we built Authorization Academy.

Authorization Academy is a series of technical guides that explains how to build authorization into an app, including architecture, modelling patterns, enforcement, testing, integration at the UI level and more. After completing this course, you will have a mental model for how authorization works and the tools to build it into an application yourself.

To make the course as concrete as possible, we use an example application throughout the course, called GitClub. GitClub is a website for source code hosting, collaboration, and version control. This might sound familiar! Our inspiration for GitClub comes from real-world applications – GitHub and GitLab – which are good case studies for common authorization scenarios.

This course focuses on authorization in business-to-business (B2B) software-as-a-service (SaaS) applications, though we’ll also cover other patterns and models along the way. Developers of all temperatures will find the course useful. For beginner developers, the course will establish a strong base of authorization fundamentals. For more seasoned veterans, the course will offer a cleaner approach to problems they have likely encountered in the past.

We’re authorization professionals. We built this course based on our experience writing authorization systems ourselves, as well as just dozens of meetings with developers working on authorization at companies ranging from startups to the Fortune 100.

This course is broken up into chapters, where we’ll be covering the following topics:

  • Architecture
  • Modelling Patterns
  • Enforcement
  • User Interfaces
  • Testing
  • Security
  • Microservices
  • Other advanced concepts

Authentication vs. Authorization

Many folks often use the term “auth” to refer to both authentication and authorization, which are related and somewhat overlapping mechanisms in application security. But they aren’t the same thing.

Authentication is the mechanism for verifying who a user is. It’s the front door to the application. For example, a username and password together make up an identity (username) and a verification method (do you know the password). Other forms of authentication include OAuth and OpenID Connect (OIDC), which is often used for adding features like “Login with Google” or “Login with Facebook”; and SAML, which is a standard that enterprises use for giving employees a single login across multiple apps.

Authorization is the mechanism of controlling what the user can do. If authentication is the front door, authorization controls what doors you can open once you’re inside. 

Authorization often builds on authentication, and the two overlap most closely when information about who the user is becomes an input to determining what she can do. For instance, once a user is authenticated, we might use her username to look up her permissions; or we might be able to infer her permissions based on some other attribute that we can look up. 

This course focuses on authorization, and will only touch on authentication when relevant. We assume you have an authentication system in place, or can set one up by following guidance readily available elsewhere.

Next chapter:

II: Structuring Authorization Architecture
This chapter shows how authorization fits into a typical application, and how to think about architecting the authorization system itself. To illustrate the concepts, we walk through an example application and the life of a request.

Previous chapter:

Want some help thinking through authorization in your app?

Or if you're not a fan of video calls, join the Oso community Slack.