664

What's the difference in context of web applications? I see the abbreviation "auth" a lot. Does it stand for auth-entication or auth-orization? Or is it both?

daGrevis
  • 19,600
  • 35
  • 95
  • 134
  • 71
    remember this: authentication checks credentials, authorization checks permissions. – Onur Yıldırım Apr 23 '17 at 16:10
  • 1
    Cross-site duplicate: https://serverfault.com/q/57077/ – Kyll Jan 09 '19 at 18:11
  • Recently for the abbreviations I've seen `authn` for authentication and `authz` for authorization – jdf Jan 15 '19 at 18:32
  • Does this answer your question? [Is there a difference between authentication and authorization?](https://stackoverflow.com/questions/6367865/is-there-a-difference-between-authentication-and-authorization) – paxdiablo Apr 21 '20 at 12:43

14 Answers14

907

Authentication is the process of ascertaining that somebody really is who they claim to be.

Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read.

The two concepts are completely orthogonal and independent, but both are central to security design, and the failure to get either one correct opens up the avenue to compromise.

In terms of web apps, very crudely speaking, authentication is when you check login credentials to see if you recognize a user as logged in, and authorization is when you look up in your access control whether you allow the user to view, edit, delete or create content.

Nick Craver
  • 594,859
  • 130
  • 1,270
  • 1,139
Kerrek SB
  • 428,875
  • 83
  • 813
  • 1,025
  • 40
    The definitions seem fine, but they certainly do not seem to be independent. As defined, does not **authorization** also _imply_ **authentication**? How can you allow Adam's database delete operation if you doubt that he _is_ Adam? Put differently, if Adam's delete operation is authorized, most hopefully that implies that Adam is authenticated. – Timo Oct 20 '17 at 12:11
  • 8
    @Timo: An application will presumably want to do both, but they're orthogonal concepts regardless. Your boss could be reviewing the staff's authorizations to access critical components of the business, the company jet and the beer fridge without any concern for which particular individual on the CCTV feed matches the names in the spreadsheet. The latter would be the security guard's concern. – Kerrek SB Oct 20 '17 at 12:25
  • 1
    The concepts are definitely orthogonal. Authentication is not necessarily proving your identity. It could be proving a claim about yourself e.g. age. When you drink, you authenticate your age by showing an ID. Then you may be authorized to drink depending on your age and the jurisdiction you are in (you can drink if >21 in the US >18 in Europe) – David Brossard Nov 17 '18 at 19:48
  • @DavidBrossard But how can you do comparisons on the age unless you know that is, in fact, his age? In other words, what good is authorization without authentication? How would you have checked his drinking age without first requiring him to authenticate himself? – Sinjai Feb 27 '19 at 22:26
  • 1
    @Sinjai: I think the point is that those are orthogonal concerns, though, and they can be addressed by separate facilities: e.g. the (trusted) bouncer at the door can establish the client's age, and different services inside the establishment can have different age limits, but will all use the value they got from the bouncer to make admission decisions. – Kerrek SB Feb 28 '19 at 19:09
  • 1
    Another way to look at it (in the context of the barroom example) would be to consider that authentication is the process of matching the photo on the ID card to the person standing in front of you whereas authorization is the process of validating that their age meets legal requirements. In my opinion, the element in this mix that causes the lines to be blurred is that both tests must also be both cognizant of and hardened against forgery (is the ID a fake) which most people tend to view as a concern of authentication only rather than equally important to both auth-c and auth-z certification. – Ryan Hansen May 31 '19 at 17:19
  • I agree with @Timo here. Given these examples, I don't see how authorization has any practical meaning without authentication. Saying "we don't allow people under 21 to drink at this establishment" is fine but you can't actually apply that rule without talking about a specific person, which requires authentication. – d512 Jan 19 '20 at 00:38
  • On the other hand, imagine a scenario in which you have absolute trust that nobody will lie about their identity. So when a user logs in they just type "jsmith123" without a password or any form of authentication and the system happily lets them in knowing they are who they say they are. So there is no authentication but they still may need to be authorized so they don't perform tasks they aren't allowed to perform. So I guess that's a scenario where authorization exists without authentication...hm...¯\\_(ツ)_/¯ – d512 Jan 19 '20 at 01:18
  • 1
    Think that you work in a place where you need a plastic card pass to get in. I would steal your pass and still autorize opening doors that you are authorized to open. But the authentication failed, because some guard should at least compare my face with the photo on the plastic card pass. – DiSaSteR May 14 '20 at 12:02
695

In short, please. :-)

Authentication = login + password (who you are)

Authorization = permissions (what you are allowed to do)

Short "auth" is most likely to refer either to the first one or to both.

Geo
  • 11,580
  • 4
  • 31
  • 54
  • 4
    Sweet like a piece of Cake :) – devansvd Feb 13 '18 at 11:36
  • I like this, short and sweet. – King Dec 14 '18 at 13:27
  • 8
    Then I still don’t understand why an [HTTP Authorization header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization) carries authentication information… Isn’t that unfortunate naming? – Jens Apr 16 '19 at 15:54
  • @Jens Short answer: yes. Roy Fielding didn't knew better at that time... ;-) – Per Lundberg Nov 01 '19 at 20:30
  • 2
    @Jens I'm wondering that too. I find [this answer's](https://stackoverflow.com/a/2617167/5959593) intuition helpful. As HTTP is *stateless*, authentication info must be sent along with every request, not just the starting and the closing requests (like, establishing a secure session, and send requests without auth in between). Therefore, that request header should be *authorization*, because it almost always carries other intentions (fetch data, img,...), not *solely authentication*. – Minh Nghĩa Dec 22 '19 at 19:51
  • Just keep in mind that authentication can be done in a lot of ways other than username and password such as fingerprints, facial recognition, SMS, etc. Thinking about it in those terms makes you realize that a password is actually kind of a weird way to authenticate someone. It assumes that you are the only person in the world that knows or could know your password. So if you know the password you must be who you say you are. Kind of a leap if you ask me. – d512 Jan 19 '20 at 00:42
84

As Authentication vs Authorization puts it:

Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:

  • Who is the user?
  • Is the user really who he/she represents himself to be?

Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:

  • Is user X authorized to access resource R?
  • Is user X authorized to perform operation P?
  • Is user X authorized to perform operation P on resource R?

See also:

iGEL
  • 13,729
  • 9
  • 53
  • 65
Sebastian Paaske Tørholm
  • 45,185
  • 9
  • 92
  • 111
38

I prefer Verification and Permissions to Authentication and Authorization.

It is easier in my head and in my code to think of "verification" and "permissions" because the two words

  • don't sound alike
  • don't have the same abbreviation

Authentication is verification and Authorization is checking permission(s). Auth can mean either, but is used more often as "User Auth" i.e. "User Authentication"

Aditya Mittal
  • 1,505
  • 13
  • 11
  • 2
    IMHO verification seems to have a slightly more open scope than authentication, even though authentication seems to be some kind of verification, not every verification is a authentication... so I would say a context is always needed: user access verification etc., authentication seems always to happen in the field of "is he really the guy/machine?" (hit me if I'm wrong, not a native speaker, but: "verify" the INFORMATION provided is accurate vs. authentications seems to have something to do with knowing the person/machine is the one he/it pretends to be) – Beachwalker Feb 17 '16 at 17:02
16

The confusion is understandable, since the two words sound similar, and since the concepts are often closely related and used together. Also, as mentioned, the commonly used abbreviation Auth doesn't help.

Others have already described well what authentication and authorization mean. Here's a simple rule to help keep the two clearly apart:

  • Authentication validates your Identity (or authenticity, if you prefer that)
  • Authorization validates your authority, i.e. your right to access and possibly change something.
Kjartan
  • 17,127
  • 14
  • 67
  • 84
13

I have tried to create an image to explain this in the most simple words

1) Authentication means "Are you who you say you are?"

2) Authorization means "Should you be able to do what you are trying to do?".

This is also described in the image below.

enter image description here

I have tried to explain it in the best terms possible, and created an image of the same.

Rohit Ailani
  • 855
  • 1
  • 6
  • 19
5

Authentication is the process of verifying the proclaimed identity.

  • e.g. username/password

Usually followed by authorization, which is the approval that you can do this and that.

  • e.g. permissions
Jakub Truhlář
  • 15,319
  • 7
  • 65
  • 73
4

Adding to @Kerrek's answer;

Authentication is Generalized form (All employees can login in to the machine )

Authorization is Specialized form (But admin only can install/uninstall the application in Machine)

Boobalan
  • 737
  • 10
  • 9
  • 2
    The word "can" only applies to Authorization. Authentication has little or nothing to do with logging in. I could very well Authenticate that you are Boobalan in many ways (Not just username/password). Once I authenticate and know who you are, I could very well NOT Authorize you to log in, or do anything on my site. You are Authenticated, but you can't do diddley-squat. It's confusing and incorrect to use the word "can" when talking about Authentication. – Suamere Mar 20 '15 at 13:51
4

Authentication is the process of verifying your log in username and password.

Authorization is the process of verifying that you can access to something.

Sovichea Cheth
  • 102
  • 6
3

Definitions

Authentication - Are you the person you claim to be?

Authorization - Are you authorized to do whatever it is you're trying to do?

Example

A web app uses Google Sign-In. After a user successfully signs in, Google sends back:

  1. A JWT token. This can be validated and decoded to get authentication information. Is the token signed by Google? What is the user's name and email?
  2. An access token. This authorizes the web app to access Google APIs on behalf of the user. For example, can the app access the user's Google Calendar events? These permissions depend on the scopes that were requested, and whether or not the user allowed it.

Additionally:

The company may have an admin dashboard that allows customer support to manage the company's users. Instead of providing a custom signup solution that would allow customer support to access this dashboard, the company uses Google Sign-In.

The JWT token (received from the Google sign in process) is sent to the company's authorization server to figure out if the user has a G Suite account with the organization's hosted domain (email@company.com)? And if they do, are they a member of the company's Google Group that was created for customer support? If yes to all of the above, we can consider them authenticated.

The company's authorization server then sends the dashboard app an access token. This access token can be used to make authorized requests to the company's resource server (e.g. ability to make a GET request to an endpoint that sends back all of the company's users).

jabacchetta
  • 27,580
  • 6
  • 49
  • 65
1

Authentication is a process of verification:

  • user identity in a system(username, login, phone number, email...) by providing a proof (secret key, biometrics, sms...). Multi-factor authentication as an extension.
  • email checking using digital signature[About]
  • checksum

Authorization is the next step after Authentication. It is about permissions/roles/privileges to resources. OAuth (Open Authorization) is an example of Authorization

yoAlex5
  • 13,571
  • 5
  • 105
  • 98
0

I found the analogy from this article really help me.

Consider a person walking up to a locked door to provide care to a pet while the family is away on vacation. That person needs:

  • Authentication is in the form of a key. The lock on the door only grants access to someone with the correct key in much the same way that a system only grants access to users who have the correct credentials.
  • Authorization is in the form of permissions. Once inside, the person has the authorization to access the kitchen and open the cupboard that holds the pet food. The person may not have permission to go into the bedroom for a quick nap.

So in short, authentication is about user identity while authorization is about user permission.

NearHuscarl
  • 12,341
  • 5
  • 39
  • 69
0

Imagine that you have registered for a tech conference. You arrive and walk up to the registration table outside to get your conference badge. You have to first show some form of identification, such as a driver's license. Your driver's license identifies you (with your picture, for example) and is distributed by a trusted entity (the DMV). This is authentication.

The person hands you your badge, which is red, blue, or green. Walking around inside the conference, some of the exhibits are color-coded. With a green badge, you can enter the green exhibits, but not the blue or red exhibits. The badge is not distributed by the DMV -- rather, it is distributed by the conference itself, to access conference resources inside the conference hall.

There is not necessarily anything about the badge that identifies you (it may have your name printed on it, but you can easily borrow your friend's blue badge to visit a blue exhibit -- nobody is going to check your name, just the color blue). The color of your badge grants you access to exhibits. This is authorization.

Jim Flood
  • 7,273
  • 3
  • 30
  • 43
0

Authentication is the process where identify valid user.

Authorization is the process where validate user access level.

Example for a application User A, B both are authenticate user for Inventory application. Both user can access into Stock but B has some more authorize power for issue items.

Md. Nazmul Nadim
  • 21
  • 4