Is there a difference between authentication and authorization?

There is indeed a fundamental difference. Authentication is the mechanism whereby systems may securely identify their users. Authentication systems seek to provide answers to the questions:

  • Who is the user?
  • Is the user really who they claim / represent to be?

Authorization, by contrast, is the mechanism by which a system determines what level of access a particular (authenticated) user should have to resources controlled by the system. For an example that may or may not be related to a web-based scenario, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:

  • Is user X authorized to access resource R?
  • Is user X authorized to perform operation P?
  • Is user X authorized to perform operation P on resource R?

Steve Riley has written a quite good essay on why they must remain distinct.


Authentication refers to verifying an entity's identity. Authorization deals with what an authenticated entity is allowed to do (e.g. file permissions).


The main point is:

  • Authentication deals with user account validation. Is this a valid user? Is this user registered in our application?. e.g.: Login
  • Authorization deals with user access validation to certain feature. Does this user have the authorization/right to access this feature? e.g.: Claims, Roles

In my experience, Authentication usually refers to the more technical process, i.e. Authenticating a user (by checking login/password credentials, certificates etc), whereas Authorization is used more in the Business Logic of an application.

For example, in an application, a user might login and be authenticated, but not authorized to perform certain functions.

Tags:

Security