Authorization is the process of granting permissions to a user, application, or server to access and modify resources on a system, and verifying use of that access.
Conventional authorization generally involves setting access control lists that dictate which users or user groups have access rights to specified resources. For cloud-based web apps, Microservices, and IoT deployments, a more flexible and stateless approach to authorization may be designed with JWT (JSON Web Tokens) or by using an authorization framework such as OAuth 2.0.
In the context of third-party apps accessing an API, authorization is intimately tied to authentication and often entails the act of selectively granting a third-party application permission to access user data stored on another website or platform.
Given that users usually hold multiple accounts across various social and cloud apps (Facebook, Twitter, LinkedIn, etc.), integration between these apps requires a common authorization framework such as OAuth 2.0. This form of authorization is based on access tokens, which are exchanged between client applications and authorization servers, and which bypass the need for passing or storing credentials in plain sight.
The OAuth 2.0 framework is HTTP-based, supports Single Sign-On (SSO), and uses JWT (JSON Web Tokens) as the primary authentication and access method. OAuth 2.0 is also a popular choice for authorizing access to Microservices-based web apps and IoT devices.
For more fine-grained control over who gets to access what (e.g. in complex or mixed environments), OAuth 2.0 can also be combined with an authentication protocol such as OpenID which provides user management and identity federation across multiple platforms.