authentication airport analogy blog #3792
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kmaida
reviewed
Jun 27, 2025
Contributor
kmaida
left a comment
kmaida
left a comment
There was a problem hiding this comment.
I only reviewed the analogy itself; not an editorial review.
| - The client application is the airport. | ||
| - The Authorization Server is the TSA (Transportation Security Administration). If you are from outside of the United States, you can just think of this as airport security. The airline is also considered part of the authorization server here because they are the ones that issue the boarding pass. | ||
| - The Access Token is the boarding pass. | ||
| - The resource server is the gate your plane leaves from. |
Contributor
There was a problem hiding this comment.
Isn't the resource server the airplane itself? You can get to the gate without a boarding pass, but you can't board the plane without a pass.
|
|
||
| - The user is represented by you (a traveler). | ||
| - The client application is the airport. | ||
| - The Authorization Server is the TSA (Transportation Security Administration). If you are from outside of the United States, you can just think of this as airport security. The airline is also considered part of the authorization server here because they are the ones that issue the boarding pass. |
Contributor
There was a problem hiding this comment.
+Passport is like a password or auth factor. It's a thing you use to authenticate (i.e., prove you are who you say you are)
|
|
||
| You (the user) wake up early, caffeinate appropriately, and head to the airport. You've got a destination in mind, let's say maybe beautiful Colorado. You can't just show up and expect to walk straight onto a plane. First, you interact with the airport, our stand-in for the client application. The airport is the one coordinating the trip on your behalf. They know which flight you're taking, what time you need to check in, and where to direct you. They manage the process of getting you to your destination. | ||
|
|
||
| When it's time to go through security, the airport directs you to the TSA, which represents the authorization server in our metaphor. This is the critical gatekeeper responsible for verifying your identity. Behind the scenes, the airport has agreed to trust the TSA. You hand over your credentials, usually a government-issued ID and your boarding pass. You can think of the boarding pass as your requested scopes for access to the gates. The TSA doesn't care which airline you flew with last week, they just want to validate that you are you, and that you're permitted to travel. |
Contributor
There was a problem hiding this comment.
Maybe specify that this process is authentication.
|
|
||
| When it's time to go through security, the airport directs you to the TSA, which represents the authorization server in our metaphor. This is the critical gatekeeper responsible for verifying your identity. Behind the scenes, the airport has agreed to trust the TSA. You hand over your credentials, usually a government-issued ID and your boarding pass. You can think of the boarding pass as your requested scopes for access to the gates. The TSA doesn't care which airline you flew with last week, they just want to validate that you are you, and that you're permitted to travel. | ||
|
|
||
| Once you pass that check, TSA has verified that you are you and you can proceed to the restricted resource. In this case the gates. The analogy breaks down a bit here as the boarding pass now becomes our metaphorical access token and was issued by the airlines and not the TSA. For the purpose of this analogy, We'll lump the TSA and the airline check-in counter into one metaphorical group we'll call 'security & validation.' Together, they handle verifying your identity, issuing your pass, and ensuring you're legit to board. The combination could even be considered multi-factor authentication. In the real authentication flow the authentication server would issue a JWT, which is the actual token used in the authentication flow. This token contains information about who you are, where you're going, and what you're allowed to access. Maybe you're seated in economy or maybe you've got gold status and access to all the snacks and reclining chairs. That's encoded in the token. It's signed, tamper-proof, and TSA doesn't need to follow you around anymore. They trust the pass to do the job. |
Contributor
There was a problem hiding this comment.
I don't think the analogy breaks down. What happens is authentication and then the first level of authorization.
Check-in: authentication (prove you are who you say you are; passport is an authentication factor, in this particular analogy)
Security: authorization 1 (access into the secured area of the airport)
Boarding: authorization 2 (access to the plane)
| import AuthenticationCodeFlow from 'src/diagrams/blog/authorization-airport-analogy/authentication-code-flow.astro'; | ||
| import AirportCodeFlow from 'src/diagrams/blog/authorization-airport-analogy/authentication-code-flow-airport-analogy.astro'; | ||
|
|
||
| Many blogs on authentication and authorization are often very technical in nature. Recently, at an event dedicated to real world ID, I was pondering the connection between the authorization flows and the real world. After talking with someone who was not technical but well versed in real world applications of identity, I tried to explain the authorization flow in a real world example he may be able to more easily understand. I think I came up with a pretty good analogy. (In all honesty, the one I came up with initially was pretty terrible. After thinking about it a bit, I came up with this one that I think is good.) Hopefully if you're not technical or into authentication, this will give you a basic understanding of the flow. If you are technical, this can give you a way to explain what you do to your family and friends at the next holiday gathering. |
Contributor
There was a problem hiding this comment.
To be honest, the whole analogy could fit into a couple of sentences. I'd remove most of this intro, as it's setup that isn't particularly relevant to the message you want the reader to take away.
Contributor
|
@mark-robustelli can you please give this PR a better name than "initial commit" :) |
mark-robustelli
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.