Authorization VS Authentication
What Is Authentication?
Authentication is the act of validating that users are whom they claim to be. This is the first step in any security process.
What Is Authorization?
Authorization in system security is the process of giving the user permission to access a specific resource or function. This term is often used interchangeably with access control or client privilege.
Which Comes First, Authentication or Authorization?
Authentication and authorization both rely on identity. As you cannot authorize a user or service before identifying them, authentication always comes before authorization.
Access control vs. Authentication?
People often use the terms access control and authorization interchangeably. Although many authorization policies form part of access control, access control is a component of authorization. Access control uses the authorization process to either grant or deny access to systems or data. In other words, authorization defines policies on what a user or service may access. Access control enforces these policies.
If we compare authentication and access control, the comparison between authentication and authorization still applies. Authentication verifies the user’s identity, and access control uses this identity to grant or deny access.
Authentication | Authorization |
---|---|
Determines whether users are who they claim to be | Determines what users can and cannot access |
Challenges the user to validate credentials (for example, through passwords, answers to security questions, or facial recognition) | Verifies whether access is allowed through policies and rules |
Usually done before authorization | Usually done after successful authentication |
Generally, transmits info through an ID Token | Generally, transmits info through an Access Token |
Generally governed by the OpenID Connect (OIDC) protocol | Generally governed by the OAuth 2.0 framework |
Example: Employees in a company are required to authenticate through the network before accessing their company email | Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access |