HLDsystem_design~7 mins

Authentication vs authorization in HLD - Architecture Trade-offs

Choose your learning style9 modes available

Learn Why Deep Arch Practice Challenge Design Recall Scale

Problem Statement

Without clear separation, systems confuse verifying who a user is with what they can do. This leads to security risks like unauthorized access or users being blocked from allowed actions, causing failures in protecting sensitive data or resources.

Solution

Authentication confirms the user's identity by checking credentials like passwords or biometrics. Authorization then decides what actions or resources the authenticated user can access based on their permissions or roles.

Architecture

User

→Authentication

↓

Identity Data

This diagram shows the flow where a user first passes through authentication to verify identity, then through authorization to check access rights.

Trade-offs

✓ Pros

→

Separates identity verification from permission checks, improving security clarity.

→

Allows flexible permission management without re-verifying identity.

→

Supports scalable systems by decoupling user login from access control.

✗ Cons

→

Requires additional infrastructure to manage both authentication and authorization.

→

Complexity increases when integrating multiple authentication methods with fine-grained authorization.

→

Misconfiguration can lead to security gaps if either step is weak.

Always use when building systems with user access control, especially when multiple roles or permissions exist and security is critical.

For simple public systems with no user-specific access control, where all users have the same permissions.

Real World Examples

Amazon

Separates customer login (authentication) from their ability to purchase or view order history (authorization) to protect user data.

Google

Uses OAuth for authentication to verify user identity, then applies authorization to control access to services like Gmail or Drive.

Netflix

Authenticates users to confirm identity, then authorizes content access based on subscription level and region.

Alternatives

Role-Based Access Control (RBAC)

Focuses on authorization by assigning permissions to roles rather than individuals, but still requires authentication first.

Use when: When managing permissions for large groups with similar access needs.

Attribute-Based Access Control (ABAC)

Authorization decisions are made based on user attributes and environment, adding more dynamic control after authentication.

Use when: When access depends on multiple contextual factors beyond roles.

Summary

Authentication verifies the user's identity using credentials.

Authorization determines the user's permissions after identity is confirmed.

Separating these improves security and system clarity.