Authentication vs. Authorization

Sources:

title: ## Contents 
style: nestedList # TOC style (nestedList|inlineFirstLevel)
minLevel: 1 # Include headings from the specified level
maxLevel: 4 # Include headings up to the specified level
includeLinks: true # Make headings clickable
debugInConsole: false # Print debug info in Obsidian console

Overview

About

This note is about the difference between the similar, yet different terms: Authentication and Authorization.

While often used interchangeably, authentication and authorization represent fundamentally different functions. In this article, we compare and contrast the two to show how they protect applications in complementary ways.

What are authentication and authorization?

In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.

Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity. Then, when you arrive at the gate, you present your boarding pass to the flight attendant, so they can authorize you to board your flight and allow access to the plane.

Authentication vs. authorization

Here’s a quick overview of the differences between authentication and authorization:

AuthenticationAuthorization
Determines whether users are who they claim to beDetermines what users can and cannot access
Challenges the user to validate credentials (for example, through passwords, answers to security questions, or facial recognition)Verifies whether access is allowed through policies and rules
Usually done before authorizationUsually done after successful authentication
Generally, transmits info through an ID TokenGenerally, transmits info through an Access Token
Generally governed by the OpenID Connect (OIDC) protocolGenerally governed by the OAuth 2.0 framework
Example: Employees in a company are required to authenticate through the network before accessing their company emailExample: After an employee successfully authenticates, the system determines what information the employees are allowed to access

In short, access to a resource is protected by both authentication and authorization. If you can’t prove your identity, you won’t be allowed into a resource. And even if you can prove your identity, if you are not authorized for that resource, you will still be denied access.

Resources


Appendix

Note created on 2024-05-01 and last modified on 2024-05-01.

LIST FROM [[Authentication vs. Authorization]] AND -"CHANGELOG" AND -"//Authentication vs. Authorization"

(c) No Clocks, LLC | 2024