MockRounds Logo

AuthN vs AuthZ: Understanding API Security Fundamentals Quiz

Test your knowledge of the differences between authentication and authorization in APIs, including sessions, tokens, OAuth2 basics, and common testing scenarios.

  1. Distinguishing AuthN from AuthZ

    In the context of an API that checks a user's password before granting access, what type of mechanism is this?

    1. Access Granting
    2. Audit Control
    3. Authentization
    4. Authentication
    5. Authorization

  2. Purpose of Authorization

    When an API restricts a user to only view, but not edit, specific data, what security principle is being enforced?

    1. Authentication
    2. Auditing
    3. Authorization
    4. Allowance
    5. Authentification

  3. Sessions in APIs

    Which of the following best describes a session in API authentication processes?

    1. A user’s access control list
    2. A method of authorizing user roles
    3. A type of password reset mechanism
    4. A permanent storage of user credentials
    5. A temporary state maintained to identify a user after login

  4. Token Usage

    What is the main purpose of using tokens in API security?

    1. To validate email addresses
    2. To initiate session timeouts
    3. To encrypt API endpoints
    4. To permanently store passwords in transit
    5. To identify a user and confirm their identity across requests

  5. OAuth2: Roles Explained

    In OAuth2 flows, what does the term 'resource owner' typically refer to?

    1. The user who grants access to their data
    2. An encryption algorithm
    3. An application’s administrator
    4. The API gateway
    5. The server hosting a website

  6. Testing Authentication Failures

    When testing API authentication, what is a common case to check?

    1. Submitting incorrect credentials to verify access is denied
    2. Sending repeated POST requests to the same URL
    3. Requesting non-existent endpoints
    4. Checking server's IP address
    5. Measuring response time after authentication

  7. Authorization Test Case Example

    If an unauthorized user attempts to access another user's private data, which outcome demonstrates proper authorization control?

    1. The response contains a list of all users
    2. The application forcefully logs out all users
    3. The API redirects the user to a homepage
    4. The API generates a random error message
    5. The API returns a forbidden or unauthorized response

  8. Session Expiry Scenario

    What is the intended behavior when an API session token expires?

    1. The user must re-authenticate to continue
    2. The API automatically upgrades user privileges
    3. The session remains valid indefinitely
    4. The password is updated in the background
    5. The system deletes user data irreversibly

  9. OAuth2 Grant Types

    Which grant type in OAuth2 is commonly used by applications to directly obtain an access token using a user's credentials?

    1. Implicit
    2. Resource Owner Password Credentials
    3. Authorization Code
    4. Refresh
    5. Client Credentials

  10. Mixing Up Terms

    Which of the following describes the difference between authentication (AuthN) and authorization (AuthZ) in APIs?

    1. Authorization checks user passwords, while authentication assigns roles
    2. Authorization requires passwords, while authentication does not
    3. Authentication encrypts data, while authorization decrypts it
    4. Authentication is only for administrators, while authorization is for users
    5. Authentication verifies identity, while authorization determines access levels
mockrounds.com Learn • Practice • Evaluate