Authentication vs Authorization
Table of Contents
Authentication vs. Authorization
In simple terms,
authentication is the process of verifying who a user is, orthe user proving who they are - using user id and password or some other wayauthorization is the process of verifying what they have access to, orensuring that the user is permitted to perform an action
Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity. Then, when you arrive at the gate, you present your boarding pass to the flight attendant, so they can authorize you to board your flight and allow access to the plane.
| Authentication | Authorization |
|---|---|
| Determines whether users are who they claim to be | Determines what users can and cannot access |
| Challenges the user to validate credentials (for example, through passwords, biometrics, authentication apps, one-time pins, answers to security questions) | Verifies whether access is allowed through policies and rules |
| Usually done before authorization | Usually done after successful authentication |
| Generally, transmits info through an ID Tokens | Generally, transmits info through an Access Tokens |
| Generally governed by the OpenID Connect (OIDC) protocol | Generally governed by the OAuth 2.0 framework |
| Example: Employees in a company are required to authenticate through the network before accessing their company email | Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access |
Reading material
- Authentication vs. Authorization https://auth0.com/docs/get-started/identity-fundamentals/authentication-and-authorization
- Authentication vs Authorization: Key Differences https://www.fortinet.com/resources/cyberglossary/authentication-vs-authorization