This content originally appeared on DEV Community and was authored by Meghan Gill
I recently had the opportunity to review and make some updates to the foundational chapter of Authorization Academy, Oso’s series of technical guides, entitled What is Authorization? Here’s a brief overview of the key takeaways from this guide.
1. Authorization: Who can do what to what?
At its core, authorization defines permissions—determining what actions a user or agent may perform on particular resources in your application.
2. Authentication vs. Authorization
These are often bundled under "auth," but they serve distinct roles:
- Authentication confirms identity. Using a physical world analogy, authentication is like getting into the front door of a house.
- Authorization decides what you can do once you have been authenticated. Continuing on the analogy above, it determines which rooms in the house you can access once you’re in the front door.
3. Multiple Enforcement Layers
Authorization checks can occur at various points:
- Initial connection or request middleware
- Web server or router level
- Business logic layer within the application
- Database or data-access layer itself
The Authorization Academy chapter details each of these approaches.
3. How to think about the authorization model
In exploring the different enforcement layers, we use the following framework:
- Actor - Who is making the request
- Actions - What are they trying to do
- Resources - What are they doing it to
Later chapters explore common access patterns such as role based access control (RBAC) and relationship based access control (ReBAC).
4. Authorization’s Three Pillars
A robust permissions system separates:
- Data: the resource being accessed
- Logic: the rules defining permissions
- Enforcement: where decisions are applied
Permissions decisions can be implemented in-app, via centralized services, or using a hybrid architecture.
5. Architecture
Authorization tends to be invisible to end-users but is foundational for secure applications. Recognizing common authorization patterns—such as centralizing enforcement or maintaining policy separation—makes the logic easier to manage and reason about.
I’m looking forward to working on updating the next chapter, and plan to summarize it here!
This content originally appeared on DEV Community and was authored by Meghan Gill
Meghan Gill | Sciencx (2025-08-26T01:07:06+00:00) Authorization 101: What I Learned from Oso’s “What is Authorization?” Guide. Retrieved from https://www.scien.cx/2025/08/26/authorization-101-what-i-learned-from-osos-what-is-authorization-guide/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.