At-least once in your lifetime you would have heard about these terms - Authentication and Authorization. Quite often you would have used it interchangeably as well. I myself have got it confused a lot of times but later used different real world examples to make my understanding firm. I thought of sharing the same with you guys so that you can share with others :)

For people who are really busy and want to understand the concept quickly to save a bit of time read the below tl;dr.

TL; DR

Consider you enter a party hosted by a VIP (say, Mr. X). You are 'authenticated' to enter inside when you have a valid invitation which was sent by Mr. X. And you are 'authorized' to sit on the stage, for example, if you are the chief guest or a speaker. So, authentication decides whether you are allowed to enter inside and authorization decides whether you can perform a certain task or action after you are inside. Thank you for reading until now. If you are in a hurry don't forget to follow for more such articles before you leave.

Now let's take a deeper look.

Most people who learn these two terms can quickly get confused because they read some bad explanations or examples. But i promise you by the end of this article you will have a clear understanding of these both terms and why it's needed.

Authentication

Let's try to understand the above example in bit more detail. When Mr. X hosts a party definitely he is not gonna allow everyone to be a participant. Rather he will select and choose the most important people to be a part of it. Now, he is not gonna be standing outside the gate welcoming each and everyone or verifying 'who you claim to be'. Rather he will send some identification which you can use later to enter the party, like an invitation. So this invitation gives you the access to enter the party. This process is called authentication.

In real world, we do access lots of websites like social networks, mail systems, etc. let's stick to an example of facebook for simplicity. Now FB need to determine whether they can allow you to access their product. Similar to above example, owner of the FB cannot be physically present 24*7 near the machine to verify each and everyone. Rather, we have certain mechanisms to verify the user. If you remember seeing a login page of the facebook, that's what it is.

When you want to enter FB you need to have an access, similar to the invitation in above example which Mr. X sent to allow you to enter the building. Likewise, in case of FB, you need to have an account registered in their website and once that's completed successfully, you can use the credentials like username & password to enter inside.

Authorization

Authorization simply mean the roles or privileges you have in a specific place. The authorization comes into play only after you are authenticated. In the above example of VIP party, you cannot give a speech or be a chief guest by sitting in the road. Rather you should enter inside the building first of all to be seated in the appropriate place. You need to be authenticated first, only then your roles or privileges matter.

Likewise in FB, once you have logged in, you are allowed to perform certain action based on your privileges. For example, once you logged in to the FB, you can create/delete/modify your post but you cannot remove some one from the facebook altogether (yeah, i can hear you, you can report someone but YOU don't remove them, right?). But facebook can do it, because they are the boss (i.e. admin). They have the privilege to do so, i.e. the permission they have do something more than yourself.

In each and every environment, the roles or privileges are assigned by someone who owns the product, like in above example it's Mr X who decides who needs to be the chief guest, or speaker etc. You, obviously cannot go to him directly and ask for these roles. And it's Mr. X who decides on assigning a new chief guest or speaker.

You can similarly understand the same with an example of your own home. A person can enter your house only if you allow him inside, basically you authenticate him. And not everyone who enter your home can perform all the actions. For example, your friend cannot do certain actions which your dad or mom can do, because they are authorized to do such things. In other words, they have much more access and privileges to do so.

You should have heard this statement at-least once, 'Mei thera baap huun' (trans. : Am your dad) :).

Why is this needed?

By now you should have a clear understanding of what's the difference between authentication and authorization. Also, you would have got a slight understanding of why is this required too.

This is basically used for the security reasons. There is a clear cut definition of who is allowed and what they can do. For example, Mr. X decided on who should be invited for the party and who should be the chief guest or speaker. He wouldn't want any random person to show up as speaker or chief guest and spoil the party.

Hence, the authentication and authorization are here to avoid chaos and provide seamless experience to their user by guaranteeing safe and secure environment.

This authentication and authorization is done in various different formats. We can learn about the same in next article.

Additional info

AuthN is the short for Authentication and AuthZ is the short for Authorization.

I hope it was a great read for you. Please do let me know your feedback and suggestions. Follow me on twitter for more such updates.

twitter.com/AbuAbdullah_IN