Best IT Recipes

Is there a difference between authentication and authorization?

I see that these two terms were rather ambiguous (especially in web scenarios, but I suppose this is not limited to this), and I was wondering if there was a difference.

It seems to me that both of them mean that you are allowed to do what you do. So is it just nomenclature, or is there a fundamental difference in meaning?

+92
security
Jun 16 '11 at 6:20
source share
15 answers

There really is a fundamental difference. Authentication is a mechanism by which systems can safely identify their users. Authentication systems strive to provide answers to questions:

  • Who is the user?
  • Is the user really who he represents / represents?

Authorization, on the contrary, is a mechanism by which the system determines what level of access a particular (authenticated) user must have to resources controlled by the system. For an example that may or may not be related to a web scenario, a database management system can be designed to provide certain specified individuals with the ability to extract information from the database, but not the ability to modify the data stored in the database, providing others individuals the ability to change data. Authorization systems provide answers to questions:

  • Does user X have access to resource R?
  • Does user X have the right to perform operation P?
  • Is user X allowed to perform operation P on resource R?

Steve Riley wrote a pretty good essay on why they should stay different.

+134
Jun 16 '11 at 6:27
source share

Authentication refers to object authentication. Authorization deals with permissions allowed for authentication (for example, file permissions).

+42
Jun 16 '11 at 6:23
source share

The main thing:

  • Authentication involves verifying a user account. Is this a valid user? Is this user registered in our application ?. For example: Login
  • Authorization refers to checking user access to a specific function. Does this user have permission to access this function? For example: claims, roles
+12
Sep 30 '14 at 3:08
source share

Authentication:

Authentication is the process of authenticating a user by obtaining certain credentials and using these credentials to authenticate the user. If the credentials are valid, the authorization process begins. The authentication process always goes into the authorization process.

Authorization:

Authorization is a process that allows authenticated users to access resources by checking if the user has access rights to the system. Authorization helps you control access rights by granting or denying certain permissions to an authenticated user.

+5
Nov 10 '16 at 12:17
source share

In my experience, authentication usually refers to a more technical process, that is, to user authentication (by checking credentials for login / password, certificates, etc.), while authorization is more used in the business logic of the application.

For example, in an application, a user can log in and authenticate, but is not authorized to perform certain functions.

+2
Jun 16 '11 at 6:23
source share

Authenticating a user to a website means that you verify that the user is a valid user, that is, by checking who uses the username / password or certificates, etc. In general terms, this person is allowed to enter the building

Authorization is the process of checking whether a user has rights / permissions to access certain resources or sections of a website, for example, if his CMS is a user authorized to modify the contents of the website. From the point of view of the office building scenario, the user is allowed to enter the office network room.

+1
Jun 16 2018-11-11T00:
source share

If I can log in, my credentials are verified and I DETECTED. If I can complete a specific task, then I will REDUCE to do this.

+1
Jun 09 '15 at 6:03
source share

Authentication verifies who you are and authorization verifies what you are authorized to do. For example, you are allowed to log into your Unix server through an ssh client, but you are not authorized for the / data 2 browser or any other file system. Authorization occurs after successful authentication ........

+1
Mar 26 '16 at 21:21
source share

Authentication verifies who you are and authorization verifies what you are authorized to do. For example, you are allowed to log into your Unix server through an ssh client, but you are not authorized for the / data 2 browser or any other file system. Authorization occurs after successful authentication.

0
Apr 25 '14 at 21:05
source share

Authentication: checking who the user is.

For authentication, the user provides credentials, such as username and password, and if the credentials are valid, the user receives a token, which can be sent with future requests as confirmation of its authentication.

Authorization: determining what the user is allowed to do.

From the point of view of users, successful authorization occurs when it can send a request to access the system and do something (for example, upload a file to the system), and it works.

Authentication only checks the identifier - this confirms that the user is who she claims to be. Authorization determines which resources a trusted user can access.

0
Dec 03 '15 at 5:10
source share

Authentication

Authentication verifies who you are. For example, you can log in to your server using the ssh client or access your mail server using the POP3 client and SMTP.

Login

Authorization confirms that you are authorized to do. For example, you are allowed to enter your server through an ssh client, but you are not authorized for the / data 2 browser or any other file system. Authorization occurs after successful authentication.

0
Dec 03 '15 at 5:24
source share

Authorization is the process by which a server determines whether a client has permission to use resources or an access file.

Authentication is used by the server when the server needs to know exactly who is accessing its information or site.

0
Dec 02 '16 at 3:20
source share

A simple example in real time. If a student comes to school, then the principal checks authentication and authorization. Authentication: Check the student’s identification card, which means that he or she belongs to our school or not. Authorization: Check if the student has permission to work in the Computer Programming Laboratory or not.

0
Sep 15 '17 at 21:20
source share

I tried to create an image to explain it in simple words

1) Authentication means "Are you who you say?"

2) Authorization means "Should you do what you are trying to do?"

This is also described in the image below.

enter image description here

0
Apr 19 '18 at 10:57
source share

Authentication :

It is a process of checking whether an identity is true or false. In other words, verifying that the user is truly what he considers himself to be.

Authentication Types:

  1. Username + password, authentication type
  2. Social Account Authentication
  3. Password Authentication
  4. Multi-factor authentication
  5. Fingerprint or retina authentication, etc.

OpenID is an open standard for authentication.

Login

A technique that determines which resources are available to a user with a given identity or role.

OAuth is an open standard for authorization.

0
Nov 29 '18 at 11:39
source share


More articles:


All Articles