Test your knowledge of authentication, authorization, sessions, tokens, and OAuth2 basics with this beginner-friendly quiz. This quiz covers core concepts to help you distinguish between AuthN and AuthZ, understand sessions and tokens, and grasp essential OAuth2 terms and functionality.
Which process determines whether a user is permitted to access a specific resource after verifying their identity?
Explanation: Authorization checks a user's permissions and decides what resources they can access, coming after authentication has verified their identity. Authentication only verifies who the user is, not what they can do. 'Authenticaton' and 'Authentification' are common typos and are not correct technical terms in this context.
In a typical web application, what is the primary purpose of using a session after a successful login?
Explanation: Sessions primarily keep a user logged in by storing their authentication state on the server or client, allowing multiple interactions without re-authenticating. They are not used for authorization decisions, which instead relate to role checks. Sessions do not handle application logs or directly encrypt traffic; those are separate functions.
What is the typical role of an access token in a token-based authentication system?
Explanation: An access token acts as digital proof of identity after login and is used by applications to decide if a user can access resources. Access tokens do not store passwords, track analytics, or directly encrypt credentials. Those functions are managed by different components or security measures.
In OAuth2, which grant type is commonly used by single-page applications (SPAs) or mobile apps when direct user login is required?
Explanation: Single-page applications or mobile apps typically use the Authorization Code Grant to securely obtain access tokens. The Resource Owner Password Grant is discouraged due to security risks and is less common today. The Refresh Token Grant is used for renewing access tokens, and the Client Credentials Grant is intended for application-to-application interactions without a user.
If a user logs in with their username and password and then tries to open an admin dashboard but is blocked, which process caused the denial?
Explanation: Authorization determines if the logged-in user has the proper permission to access the admin dashboard and blocks them if not. Authentication already happened during login, so it is not responsible for the denial at this stage. 'Authenticaton' is a misspelling, and session management maintains the user's state but does not decide access permissions.
Why do authentication tokens often include an expiration time?
Explanation: Expiration limits how long a leaked or stolen token remains valid, reducing security risks. Making the token larger does not enhance encryption on its own, and tokens are not meant to keep users logged in forever. Expiration also does not replace the need for ongoing authorization checks.
What problem does OAuth2 primarily solve in modern web applications?
Explanation: OAuth2 lets apps request access to user data from another service without exposing the user's real password, using tokens instead. Web server encryption, graphics processing, and hardware firewall management are not connected to OAuth2's primary purpose.
Where is session data most commonly stored to maintain user authentication in web applications?
Explanation: Session data is usually stored on the server (for security) or within cookies on the client to identify the user. Storing session information in passwords, graphics cards, or physical documents is not a secure or standard practice.
What is the main function of a refresh token in an OAuth2 system?
Explanation: A refresh token allows clients to request new access tokens automatically, so users do not need to log in again. Refresh tokens are not used to store passwords, encrypt database data, or improve download speeds.
Why is sending a token instead of a password considered safer when accessing protected resources?
Explanation: Transmitting tokens is safer because they can be set to expire soon and their access can be limited; this minimizes harm if captured. Passwords are sensitive and usually provide full account access, not just limited permissions. Tokens are unrelated to graphics, and unfortunately, passwords can be phished, contrary to one of the distractors.