Authentication vs. Authorization: Sessions, Tokens, and OAuth2 Concepts Quiz

Test your detailed understanding of the differences and interactions between authentication and authorization, including concepts around sessions, tokens, and the fundamentals of OAuth2.

1. Distinguishing AuthN and AuthZ

   In a system where Alice successfully logs in with her password and then is denied access when trying to view admin reports, which process failed for her at the report viewing step?

   1. Authentization
   2. Authorization
   3. Authention
   4. Authentification
   5. Authentication

2. Sessions vs. Tokens

   Which of the following best describes an access token in comparison to a session ID?

   1. A session ID contains complete user identity information, while an access token is only a random string.
   2. An access token is valid indefinitely, while session IDs automatically expire after one minute.
   3. An access token is typically stateless and self-contained, while a session ID references state stored on the server.
   4. An access token always requires a persistent database lookup, whereas a session ID never does.
   5. Both access tokens and session IDs are interchangeable in terms of validation and storage.

3. AuthN and AuthZ Roles

   If a system uses a smart card to verify a user's identity and then checks their job title to grant resource access, how are authentication and authorization applied in this process?

   1. Both authentication and authorization are achieved by the smart card.
   2. The job title is responsible for authentication.
   3. Neither authentication nor authorization is applied.
   4. The smart card performs authentication; checking the job title implements authorization.
   5. Authorization comes first, and authentication follows.

4. Token Scope in OAuth2

   What does the 'scope' parameter in an OAuth2 access token request define?

   1. The permissible actions or resources that the token holder can access
   2. The access log for a resource
   3. The expiration date of the token
   4. The authentication strength required
   5. The token encryption algorithm

5. Bearer Tokens Security

   Why should bearer tokens be transmitted over secure channels such as HTTPS rather than HTTP?

   1. Bearer tokens require manual validation in HTTP
   2. Bearer tokens self-destruct if sent over HTTP
   3. HTTP cannot parse tokens with certain characters
   4. They can be intercepted and reused by unauthorized parties since possession of the token grants access
   5. Bearer tokens encrypt themselves only under HTTPS

6. Resource Owner Role

   In the context of OAuth2, who or what is typically referred to as the 'resource owner'?

   1. The system process that issues tokens
   2. The entity that can grant access to a protected resource, usually the end-user
   3. The developer implementing the client application
   4. The server that stores the user's data
   5. The authentication middleware

7. Impersonation Vs. Delegation

   Which describes the concept of delegation in OAuth2 as opposed to impersonation?

   1. Delegation only applies to server-to-server communication.
   2. Both delegation and impersonation mean the same in OAuth2.
   3. Delegation allows a client to act on behalf of a user with the user's permission, whereas impersonation lets a client act as if it is the user without consent.
   4. Impersonation is safer because it uses refresh tokens exclusively.
   5. Impersonation always requires two-factor authentication.

8. Expiration of Sessions and Tokens

   When considering session IDs and tokens, why is setting an expiration or lifetime important for security?

   1. A session or token cannot ever be invalidated without an expiration.
   2. It completely eliminates the risk of replay attacks.
   3. It makes tokens easier to memorize for users.
   4. It reduces the impact if a session or token is compromised by limiting its period of validity.
   5. Expiration is only required by legacy systems.

9. Implications of Token Revocation

   What happens if an OAuth2 access token is revoked but a previously issued refresh token is still valid and held by the client?

   1. The access token will automatically restore itself.
   2. The client can obtain new access tokens until the refresh token itself expires or is revoked.
   3. Only the original access token remains usable, not new ones.
   4. All access and refresh tokens immediately self-destruct.
   5. The client can no longer ever access any resources.

10. Opaque vs. JWT Tokens

    Which statement accurately contrasts opaque tokens and JSON Web Tokens (JWT) in access control?

    1. JWTs can only be validated over secure TCP protocols.
    2. JWTs can carry claims about the user and be validated statelessly, whereas opaque tokens require server-side introspection for details.
    3. Opaque tokens are always longer than JWTs and can be decoded by anyone.
    4. JWTs include user passwords encrypted inside their payload.
    5. Only opaque tokens can be used for authentication, JWTs are for authorization only.