Jake Worth

Authentication and authorization are two distinct concepts. Yet, I’ve found they’re sometimes used interchangeably.

In this post, I’d like to define these terms.

Authentication is verifying who someone is. Authorization is verifying what someone may access.

Authentication

Authentication is the process of verifying who someone is.

Consider a person trying to enter an airport terminal. TSA says: “Who are you?” and the person presents an ID. TSA verifies it’s a legitimate ID and that the person presenting it is the person shown on the ID. When both are true, we call that person authenticated.

The web development analogy is logging into a website. A response when successful could be an HTTP status code of 200 (‘okay’), and unsuccessful could be a code of 403 (‘forbidden’).

Authorization

Authorization is the process of verifying what someone may access.

Back to the airport: TSA checks the boarding pass. If it matches an upcoming flight at that airport, then the person is authorized to enter the terminal. In other areas, security might check that the person is an airline employee or TSA agent.

The web development analogy could be deleting a resource. I ask to delete an order, and the application checks that I am the owner of that order or an administrator. A response when successful could be an HTTP status code of 200 (‘okay’), and unsuccessful could be a code of 401 (‘unauthorized’).

Wrapping Up

• Authentication: “Who are you?”
• Authorization: “Are you allowed to create, read, update, or delete this?”

That these two events can happen simultaneously creates much confusion. To authorize someone, you must also authenticate them, so that you can decide if they should have the access they seek. Yet they are distinct activities with different purposes.

What are your thoughts on this? Let me know!