Test your knowledge of authentication (AuthN) and authorization (AuthZ) concepts, including the roles of sessions, tokens, and basics of OAuth2. This quiz helps reinforce key identity and access control terms and scenarios essential for secure applications.
What is the main purpose of authentication (AuthN) in a web application?
Explanation: Authentication is the process of verifying who a user is, usually through credentials like a password. Authorization, in contrast, deals with what the user is allowed to do, making the second option incorrect. Encrypting user data relates to security techniques, but not directly to authentication. Load balancing traffic is unrelated to either authentication or authorization.
If a user is logged in but cannot access an admin page, what is most likely the issue?
Explanation: A user who is already logged in has passed authentication. If the user cannot access a specific page, it usually means they do not have the required authorization. Failing authentication would prevent the user from logging in. An expired session would log the user out, and a temporarily unavailable page would affect all users, not just one.
What does a 'session' represent in the context of web authentication?
Explanation: A session typically represents a time period when a user remains authenticated after logging in. It is not a file for encrypted data or a backup; those are separate concepts. A session also doesn't mean a list of authorized resources, which falls under authorization.
In authentication and authorization systems, what is most commonly the role of a token?
Explanation: Tokens are used to digitally represent a user's authentication state or permissions, such as allowing access to protected resources. Tokens do not store style information, which is the job of stylesheets. Scheduling tasks and generating logs are unrelated concepts.
Which statement best summarizes the difference between authentication (AuthN) and authorization (AuthZ)?
Explanation: Authentication is about establishing identity, while authorization is about assigning permissions after identity is known. The reverse statement mixes up the definitions. The two terms are related but not identical, making the third option false. Usually, authentication is required before authorization, not after.
What is the primary purpose of the OAuth2 protocol in modern applications?
Explanation: OAuth2 enables users to grant specific permissions to external applications without sharing their passwords. Encryption is a different security aspect, not OAuth2’s main role. Storing passwords in plain text is highly insecure. Measuring app performance is unrelated to OAuth2.
What does an 'access token' typically allow in an OAuth2 workflow?
Explanation: An access token is issued after authorization and is used to access protected resources as permitted by the user's grants. Creating accounts and password resets are separate processes and not related to access tokens. While security is a consideration, access tokens do not directly encrypt traffic.
In OAuth2, what is the primary purpose of a refresh token?
Explanation: A refresh token is specifically used to get a new access token without requiring the user to authenticate again. Email validation and terminating sessions are not functions of refresh tokens. Permissions changes are handled elsewhere in the system.
When a website asks for a username and password on a login form, which process is being performed?
Explanation: Requesting username and password serves to confirm a user’s identity, which is authentication. Authorization comes after, once the identity is verified. Ending a session or revoking tokens is not part of simply logging in.
If one user can edit a document while another user can only view it, what security principle is being applied?
Explanation: Giving different permissions to users is the essence of authorization. Authentication only identifies users, not what they’re allowed to do. Replication and session expiration are unrelated to access permissions.
In a typical security flow, which process usually occurs before the other: authentication or authorization?
Explanation: Users are first authenticated to confirm identity, then authorized to access resources. Authorization before authentication would not make sense, as the system doesn’t yet know who is accessing it. The two processes may be closely linked but are not simultaneous. Access typically requires at least one or both.
What happens if a user's session expires while accessing an application?
Explanation: Session expiration commonly logs the user out or removes authentication, requiring them to log in again. Automatic authorization is incorrect, as session expiry removes access. Passwords are not changed automatically. Application resets are unrelated to individual sessions.
Why is it risky to store authentication tokens in unsecured locations such as plain-text files?
Explanation: If tokens are easily accessible, malicious parties can use them to gain unauthorized access. Performance and data replication are not directly affected by storage location. While tokens do have expiration times, this is unrelated to why plain-text storage is unsafe.
During OAuth2 authorization, what is the purpose of the user consent screen?
Explanation: A consent screen shows which permissions the user is granting to an application. It does not request a password (that’s usually handled by authentication). Updating a session or choosing usernames is not the role of the consent screen in OAuth2.
Granting users only the access rights they need—no more, no less—is known as what?
Explanation: The principle of least privilege restricts users to the minimal permissions necessary for their work. Tokenization refers to the use of tokens, not permission control. Full trust is the opposite, granting all privileges. Session mirroring refers to duplicating sessions, unrelated to security rights.
What is a possible risk if an application has broken authorization mechanisms?
Explanation: Flaws in authorization can grant users undue access to protected data or actions. It doesn't typically prevent all logins unless authentication is also affected. Network traffic encryption is a separate feature, and displaying usernames in logs does not directly relate to authorization.