Is there a difference between authentication and authorization?

I see these two terms bandied about quite a bit (specifically in web-based scenarios but I suppose it's not limited to that) and I was wondering whether or not there was a difference.

It appears to me that they both mean you're allowed to be doing what you're doing. So is this just a nomenclature thing, or is there a basic difference in meaning?

There is indeed a fundamental difference. Authentication is the mechanism whereby systems may securely identify their users. Authentication systems seek to provide answers to the questions:

• Who is the user?
• Is the user really who they claim / represent to be?

Authorization, by contrast, is the mechanism by which a system determines what level of access a particular (authenticated) user should have to resources controlled by the system. For an example that may or may not be related to a web-based scenario, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:

• Is user X authorized to access resource R?
• Is user X authorized to perform operation P?
• Is user X authorized to perform operation P on resource R?

Steve Riley has written a quite good essay on why they must remain distinct.

Authentication refers to verifying an entity's identity. Authorization deals with what an authenticated entity is allowed to do (e.g. file permissions).

The main point is:

• Authentication deals with user account validation. Is this a valid user? Is this user registered in our application?. e.g.: Login
• Authorization deals with user access validation to certain feature. Does this user have the authorization/right to access this feature? e.g.: Claims, Roles

In my experience, Authentication usually refers to the more technical process, i.e. Authenticating a user (by checking login/password credentials, certificates etc), whereas Authorization is used more in the Business Logic of an application.

For example, in an application, a user might login and be authenticated, but not authorized to perform certain functions.

Authenticating a user on a website means that you verify that this user is a valid user, that is, verifying who the user is using username/password or certificates, etc. In common terms, is the person allowed to enter the building?

Authorization is the process of verifying if the user has rights/permission to access certain resources or sections of a website, for example, if its a CMS then is the user authorized to change content of the website. In terms of the office building scenario, is the user allowed to enter the networks room of the office.

If I can log-in, my credentials are verified and I am AUTHENTICATED. If I can perform a particular task I am AUTHORIZED to do so.

Authentication verifies who you are and Authorization verifies what you are authorized to do. For example, you are allowed to login into your Unix server via ssh client, but you are not authorized to browser /data2 or any other file system. Authorization occurs after successful authentication........

Compared to the rest of the responses which try to explicitly specify the definition or technology. I'll submit an example can be more valuable.

Here's some an article that makes a great analogy to a passport versus a lock and key

> When speaking about authentication (also called AuthN), think about identity. Authentication tries to answer “is this person who they say they are?” It’s a software equivalent of a passport or national ID check. Or to put it in more realistic terms, authentication is a similar process to that moment when you look at another person’s face to recognize that this is your friend from college and not your annoying second floor neighbor.

> On the other hand, authorization (also called AuthZ) is all about permissions. Authorization answers a question “what is this person allowed to do in this space?” You can think of it as your house key or office badge. Can you open your front door? Can your annoying neighbor enter your apartment at will? And more, once in your apartment, who can use the toilet? Who can eat from your secret stash of cookies tucked away in your kitchen cupboard?

Authentication verifies who you are and Authorization verifies what you are authorized to do. For example, you are allowed to login into your Unix server via ssh client, but you are not authorized to browser /data2 or any other file system. Authorization occurs after successful authentication.

Authentication: verifying who a user is.

To authenticate, the user provides credential information such as a username and password and if the credentials are valid, the user receives a token that can be sent in with future requests as verification of her authentication.

Authorization: determining what a user is allowed to do.

From the user’s perspective, a successful authorization takes place when she is able to send a request to access a system and do something (such as upload a file in the system) and it works.

Authentication only verifies identity—it confirms that a user is who she claims to be. Authorization determines which resources a verified user can access.

Authentication

Authentication verifies who you are. For example, you can login into your server using the ssh client, or access your email server using the POP3 and SMTP client.

Authorization

Authorization verifies what you are authorized to do. For example, you are allowed to login into your server via ssh client, but you are not authorized to browser /data2 or any other file system. Authorization occurs after successful authentication.

Authorization is a process by which server determines if the client has permission to use a resources or access file.

Authentication is used by a server when the server needs to know exactly who is accessing their information or site.

Simple real time example, If student is coming to school then principal is checking Authentication and Authorization. Authentication: Check student ID card it mean He or She belong to our school or not. Authorization: Check student have permission to sit in Computer Programming Lab or not.

I have tried to create an image to explain this in the most simple words

1. Authentication means "Are you who you say you are?"

2. Authorization means "Should you be able to do what you are trying to do?".

This is also described in the image below.

Authentication:

It is the process of validating if an identity is true or false. In other words, verifying that a user is indeed the one he or she claims himself/herself to be.

Authentication types:

1. Username + password type of authentication
2. Authentication using social accounts
3. Passwordless authentication
4. Multifactor authentication
5. Fingerprint or retina based authentication etc

OpenID is an open standard for authentication.

Authorization

The technique that determines which resources are accessible to a user with a given identity or role.

OAuth is an open standard for authorization.

Authentication: An application needs to know who is accessing the application. So authentication is related to word who. Application will check it by a login form. User will enter user name and password and these inputs will be validated by the application. Once the validation is successful, user is declared as authenticated.

Authorization is to check whether user can access the application or not or what user can access and what user can not access. Source: Authentcation Vs Authorization