Published: June 21, 2022 • 2 min read
Authentication and authorization are two distinct concepts. Yet, I’ve found they’re sometimes used interchangeably.
In this post, I’d like to define these terms.
Authentication is verifying who someone is. Authorization is verifying what someone may access.
Authentication is the process of verifying who someone is.
Consider a person trying to enter an airport terminal. TSA says: “Who are you?” and the person presents an ID. TSA verifies it’s a legitimate ID and that the person presenting it is the person shown on the ID. When both are true, we call that person authenticated.
The web development analogy is logging into a website. A response when successful could be an HTTP status code of 200 (‘okay’), and unsuccessful could be a code of 403 (‘forbidden’).
Authorization is the process of verifying what someone may access.
Back to the airport: TSA checks the boarding pass. If it matches an upcoming flight at that airport, then the person is authorized to enter the terminal. In other areas, security might check that the person is an airline employee or TSA agent.
The web development analogy could be deleting a resource. I ask to delete an order, and the application checks that I am the owner of that order or an administrator. A response when successful could be an HTTP status code of 200 (‘okay’), and unsuccessful could be a code of 401 (‘unauthorized’).
That these two events can happen simultaneously creates much confusion. To authorize someone, you must also authenticate them, so that you can decide if they should have the access they seek. Yet they are distinct activities with different purposes.
✉️ Get better at programming by learning with me. Subscribe to Jake Worth's Newsletter for bi-weekly ideas, creations, and curated resources from across the world of programming. Join me today!
Blog of Jake Worth, software engineer in Maine.