1
00:00:00,300 --> 00:00:06,780
Till now, in this entire course, we focused on how to authenticate an user, like how to protect

2
00:00:06,780 --> 00:00:10,670
our API paths, URLs inside our application.

3
00:00:10,800 --> 00:00:18,540
But security also has authorization involved. We hear a lot about authentication and authorization.

4
00:00:18,540 --> 00:00:19,130
In this video

5
00:00:19,170 --> 00:00:27,240
Let's try to clarify what is truly authentication and what his authorization before we move on to further

6
00:00:27,330 --> 00:00:34,830
sections where we will be implementing restrictions, authorization inside our application. In authentication

7
00:00:34,830 --> 00:00:37,460
the identification of the user will happen.

8
00:00:37,470 --> 00:00:45,270
Suppose, as an application architect, if I want to secure my application in my login page, I will

9
00:00:45,270 --> 00:00:52,350
ask my user, prove your identity like with your email address passwords and that's what authentication.

10
00:00:52,470 --> 00:00:59,370
Whereas authorization means once I authenticated a person to come into my application, there might

11
00:00:59,370 --> 00:01:05,319
be  different roles, access rules that I might have defined, authorities that I might have defined

12
00:01:05,319 --> 00:01:06,150
Like

13
00:01:06,480 --> 00:01:08,810
This user should act like an admin.

14
00:01:08,820 --> 00:01:11,490
This user should act like  a normal customer.

15
00:01:11,670 --> 00:01:15,360
So there are many terminologies that we call like some application.

16
00:01:15,360 --> 00:01:18,920
They call it as supervisor, customer, user.

17
00:01:19,140 --> 00:01:26,280
So based upon these authorities, roles, we should control what action a user should perform inside

18
00:01:26,280 --> 00:01:27,020
our application.

19
00:01:27,150 --> 00:01:28,530
That is authorization.

20
00:01:28,800 --> 00:01:35,100
If we try to take any classic example, suppose I want to fly from one city to another city.

21
00:01:35,310 --> 00:01:36,300
I book a ticket.

22
00:01:36,510 --> 00:01:39,630
I went to airport at the very starting of the airport.

23
00:01:39,810 --> 00:01:43,680
You have to authenticate yourself like what is your passport number?

24
00:01:44,010 --> 00:01:46,550
Are you the same person who want to fly?

25
00:01:46,740 --> 00:01:47,520
What is your

26
00:01:47,670 --> 00:01:54,870
SSN details and they try to do like identify your identity and once you clear that authentication

27
00:01:54,870 --> 00:02:00,390
step, then you will go to the place where you want to take your flight.

28
00:02:00,630 --> 00:02:03,810
Like gate number one or two or three, whatever it might be.

29
00:02:03,840 --> 00:02:06,870
So in this scenario, you proved your authentication.

30
00:02:06,870 --> 00:02:12,690
That's where you're allowed to enter into the airport, but you are authorized to take the flight,

31
00:02:12,690 --> 00:02:14,190
which you only booked.

32
00:02:14,430 --> 00:02:20,160
Suppose I might have booked a flight to Mumbai, but at the last minute, if I want to travel to Delhi,

33
00:02:20,160 --> 00:02:22,950
that's not authorized because I'm not authorized user.

34
00:02:23,250 --> 00:02:26,460
I am authorized to take only Mumbai flight.

35
00:02:26,730 --> 00:02:28,350
So that is an authorization.

36
00:02:28,620 --> 00:02:34,260
If we take any real time example, usually authentication done before authorization, the very first

37
00:02:34,260 --> 00:02:41,700
step that will happen inside any secure application or a secure scenario is authentication. Post authentication

38
00:02:41,700 --> 00:02:42,500
is successful.

39
00:02:42,810 --> 00:02:49,500
The authorization will happen to identify what authorities or roles that this person has. To perform authentication

40
00:02:49,770 --> 00:02:55,410
We just need his login credentials like username, password, mobile number or multifactor authentication.

41
00:02:55,530 --> 00:03:00,260
Once that user login successfully happen, then we look

42
00:03:00,270 --> 00:03:06,300
what are his configured roles inside our database or any other system to derive his authorities?

43
00:03:06,510 --> 00:03:12,630
If we get an any error due to invalid credentials in authentication, we get an 401 error

44
00:03:12,630 --> 00:03:19,950
from server . 401 indicates authentication failure, whereas my authentication is passed, but I'm

45
00:03:19,950 --> 00:03:22,320
not authorized to perform any action.

46
00:03:22,470 --> 00:03:23,370
In that scenario

47
00:03:23,370 --> 00:03:29,820
We'll get a 403 error, which is a forbidden error. Forbidden means it is hidded from you.

48
00:03:30,120 --> 00:03:32,280
You're not allowed to perform that action.

49
00:03:32,430 --> 00:03:36,600
And another example that we can take is inside any bank application.

50
00:03:36,720 --> 00:03:40,080
First I have to prove my identity by logging credentials.

51
00:03:40,260 --> 00:03:44,880
I may be a customer or an employee inside the bank. In any of these scenarios.

52
00:03:44,910 --> 00:03:48,420
I have to prove my identity by giving my login correction's.

53
00:03:48,510 --> 00:03:56,190
Once I entered proper login details, I am authorized into the system based upon the roles, authorities

54
00:03:56,340 --> 00:03:58,470
configured inside the system.

55
00:03:58,620 --> 00:04:02,190
So on a high level, this is authentication and authorization.

56
00:04:02,340 --> 00:04:09,900
In the next video, let's try to see how spring security handles authentication and authorization internally.

57
00:04:10,170 --> 00:04:10,640
Thank you

58
00:04:10,650 --> 00:04:10,960
and Bye