20241113 ◎

• Finished some miscellaneous tasks

Why is Authorization Header Used for Authentication?

TL;DR: There seem to be no reason behind that.

I was confused why the “Authorization” header is used when performing Basic Authentication or API Authentication. Shouldnhey be different concepts?

Authorization - HTTP | MDN

The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to protected resources.

Authentication vs Authorization

Authentication vs Authorization | Auth0

Authentication vs Authorization | Okta

Authentication

• Determines whether users are who they claim to be
  • I.e., Proving who the users are
• Challenges the user to validate credentials (API key, username/password(BASIC), or token to verify the user's identity)
• Usually done before authorization

Authorization

• Determines what users can and cannot access
  • I.e., Proving what users are allowed to do
• Verifies whether access is allowed through policies and rules
  • I.e., Authorization usually involves checking roles, permissions, or scopes.

Permissions (Authorization) in Django REST framework

I usually work with the Django REST framework, which provides a feature that allows permissions (authorization) to run after authentication.

Permissiosn - Django REST framework

Together with authentication and throttling, permissions determine whether a request should be granted or denied access.

It is common to have a role check along with a normal authentication.

(I haven't checked if this code block works. This is just for reference)

settings.py

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.BasicAuthentication',
    ]
}

from rest_framework.permissions import BasePermission


class IsSuperUser(BasePermission):
    def has_permission(self, request, view):
        return request.user and request.user.is_superuser

Usually, the flow looks like this: credentials are validated (authentication) first, and then additional checks (such as role checks) work as authorization.

Authentication and authorization may be intertwined in custom permissions, but the basic flow is like the example.

Is it OK to use “Authorization” header for authentication? What is the history behind that?

I could not find any (trustworthy) resources that explain the reason.

Why is the HTTP header for Authentication called Authorization? | Stackoverflow

:thinking_face:

Why is the header for HTTP Authentication called “Authorization” and not “Authentication” - Stackoverflow

I assume it's a historic mistake. That’s the best answer I have (note that I’m one of the authors of the newer RFC)

HTTP authentication - the HTTP header name is Authorization - why? - StackExchange

This answer just makes sense, pointing out that the HTTP specification for headers were specified January 1997, but the first security standards were codified in 1999-2000, and the order made the inconsistency.

But, it is just one rationale, and we cannot deny that there is no direct evidence/resource.

157.0 lb

Rice 400 Oatmeal 300 Mashed potatoes 500 Sushi bowl 800

Total 2000 kcal

push-ups

MUST:

• Start a contract with AT&T
• Prepare a checkbook
• Get a temporary number for electricity (20241115)

TODO:

• Browse “You Only Look Once: Unified, Real-Time Object Detection” by Joseph Redmon
• Improved suffix array
• Upgrade the Amazon Lightsail plan (take a snapshot, create a new instance, and migrate)

index 20241112 20241114