Auth
Authentication vs Authorization
Authentication is responsible for verifying a user's identity, while authorization is for determining their rights and access level. These processes happen sequentially: first the system makes sure who you are, then it decides what you are allowed to do.
Authentication
- Goal: confirm user identity.
- Verifies credentials: login, password, token, certificate, biometrics.
- Result — creation of a session or issuance of a token.
- Example: entering login and password on the login page.
- Answers the question: "Who are you?"
Authorization
- Goal: determine the access level of the user.
- Verifies roles, rights, or access policies.
- Decides which data and actions are available.
- Example: only an administrator can delete a user.
- Answers the question: "What are you allowed to do?"
Key Differences
| Criterion | Authentication | Authorization |
|---|---|---|
| Purpose | Confirmation of identity | Determination of access rights |
| Process Stage | Performed first | Follows after authentication |
| Result | User identified | User granted permissions |
| Verified via | Login, password, token | Roles, rights, policies |
| Visibility to user | Usually explicit (login form) | Often implicit (limited functionality) |
Example
- A user logs in using email and password → authentication.
- The system determines that they have the
editorrole and allows them to edit articles but not delete → authorization.