Authentication versus Authorization
What's the difference in context of web applications? I see the abbreviation "auth" a lot. Does it stand fo开发者_如何学Gor auth-entication or auth-orization? Or is it both?
Authentication is the process of ascertaining that somebody really is who they claim to be.
Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read.
The two concepts are completely orthogonal and independent, but both are central to security design, and the failure to get either one correct opens up the avenue to compromise.
In terms of web apps, very crudely speaking, authentication is when you check login credentials to see if you recognize a user as logged in, and authorization is when you look up in your access control whether you allow the user to view, edit, delete or create content.
In short, please. :-)
Authentication = login + password (who you are)
Authorization = permissions (what you are allowed to do)
Short "auth" is most likely to refer either to the first one or to both.
As Authentication vs Authorization puts it:
Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:
- Who is the user?
- Is the user really who he/she represents himself to be?
Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:
- Is user X authorized to access resource R?
- Is user X authorized to perform operation P?
- Is user X authorized to perform operation P on resource R?
See also:
- Authentication vs. authorization on Wikipedia
In User Context:
Authentication = Verifying the User is who he claims to be (you can technically verify a lot of different things like password, tax info, social security info, driver's license, fingerprints, or other biometrics ... but usually a username/password is sufficient)
Authorization = Permitting the User to do something (you can set up roles ['admin', 'seller', 'buyer'...] with permissions ['access control center', 'delete products'...] and give those roles to the users, then validate the user has a role that permits him to do an action)
Permissions have a direct relationship with CRUD operations, so if building a UI, you can list objects as rows, and checkboxes in 4 columns for Create, Read, Update, Delete of that object permission for any given role.
Like in my example above 'access control center' is a full Create, Read, Update, and Delete access of the control center object, while 'delete products' is Delete access for the products object.
Note: HTTP Authorization Header was intended as permission to access a resource, but really is used as an authentication for all resource access.
It is easier in my head and in my code to think of verification and permissions because the two words
- don't sound alike
- don't have the same abbreviation
- and actual implementation of authorization typically involves implementing Roles and Permissions
Authentication is verification and Authorization is checking permission(s). Auth can mean either, but is used more often as "User Auth" i.e. "User Authentication". A lot of times there is no explicit authorization implementation (roles and permissions), just the authentication is used to provide the authorization to do every available action. And so that is Auth.
The confusion is understandable, since the two words sound similar, and since the concepts are often closely related and used together. Also, as mentioned, the commonly used abbreviation Auth doesn't help.
Others have already described well what authentication and authorization mean. Here's a simple rule to help keep the two clearly apart:
- Authentication validates your Identity (or authenticity, if you prefer that)
- Authorization validates your authority, i.e. your right to access and possibly change something.
I have tried to create an image to explain this in the most simple words
1) Authentication means "Are you who you say you are?"
2) Authorization means "Should you be able to do what you are trying to do?".
This is also described in the image below.
I have tried to explain it in the best terms possible, and created an image of the same.
Authentication is the process of verifying the proclaimed identity.
- e.g. username/password
Usually followed by authorization, which is the approval that you can do this and that.
- e.g. permissions
Adding to @Kerrek's answer;
Authentication is Generalized form (All employees can login in to the machine )
Authorization is Specialized form (But admin only can install/uninstall the application in Machine)
Authentication is the process of verifying your log in username and password.
Authorization is the process of verifying that you can access to something.
Definitions
Authentication - Are you the person you claim to be?
Authorization - Are you authorized to do whatever it is you're trying to do?
Example
A web app uses Google Sign-In. After a user successfully signs in, Google sends back:
- A JWT token. This can be validated and decoded to get authentication information. Is the token signed by Google? What is the user's name and email?
- An access token. This authorizes the web app to access Google APIs on behalf of the user. For example, can the app access the user's Google Calendar events? These permissions depend on the scopes that were requested, and whether or not the user allowed it.
Additionally:
The company may have an admin dashboard that allows customer support to manage the company's users. Instead of providing a custom signup solution that would allow customer support to access this dashboard, the company uses Google Sign-In.
The JWT token (received from the Google sign in process) is sent to the company's authorization server to figure out if the user has a G Suite account with the organization's hosted domain (email@company.com)? And if they do, are they a member of the company's Google Group that was created for customer support? If yes to all of the above, we can consider them authenticated.
The company's authorization server then sends the dashboard app an access token. This access token can be used to make authorized requests to the company's resource server (e.g. ability to make a GET request to an endpoint that sends back all of the company's users).
Authentication | Authorization | |
---|---|---|
What does it do? | Verifies credentials | Grants or denies permissions |
How does it work? | Through passwords, biometrics, one-time pins, or apps | Through settings maintained by security teams |
Is it visible to the user? | Yes | No |
It is changeable by the user? | Partially | No |
How does data move? | Through ID tokens | Through access tokens |
For more detailed answere here is the reference: https://www.okta.com/identity-101/authentication-vs-authorization/
Authentication is the process of verifying the identity of an entity. For example
- Webserver asks the user to enter login/password every time to verify the user who created the account is the one accessing it now.
Authorization is the process of allowing the required amount of services/resources to each entity. For example
- On blogging site (eg. medium.com) users can create an account and write a post and publish. And users can read all posts published by others as well. Here the blogging server first authenticates the user with the user login credentials (login/password) and then it authorizes to read all others post and write/modify the post only created by the user. Here authorization is used by the server to limit which all post each user can modify.
- Users can create a free google account by which google server provides free services like mail, calendar, chat, drives etc. But the storage provided for all these services to free users are 15GB (as of now). User can pay a monthly or annual fee to google server to increase the storage space. Here google server authorizes every authenticated user to limit the amount of resource usage.
In today's internet authorization is used widely to apply access limiations on clients.
Authentication is the process of verifying the identity of a user by obtaining some sort of credentials for example his username password combination, and using those credentials to verify the user’s identity.
Authorization is the process of allowing an authenticated user to access his resources by checking whether the user has access rights to the system. You can control access rights by granting or denying specific permissions to an authenticated user. So, If the authentication was successful, the authorization process starts. Authentication process always proceeds to Authorization process.
JWT used for Authorization: JWT is a JSON based format of a security token which is basically a base64 url-encoded string which is used as a means of transferring secure content between two applications. They are used to secure request data in Web APIs. These are included in Authorization HTTP headers as part of the bearer authentication scheme.
OAuth is for authorization: OAuth is not an API or a service: it’s an open standard for authorization and anyone can implement it. With OAuth, you can log into third party websites with your Google, Facebook, Twitter or Microsoft accounts without having the necessity to provide your passwords. This way you can avoid creating accounts and remembering passwords on each and every web application that you use on the Internet.
Authentication and Authorization
Authentication
is a process of verification:
- user identity in a system(username, login, phone number, email...) by providing a proof (secret key, biometrics, sms...). Multi-factor authentication as an extension.
- email checking using
digital signature
[About] - checksum
Authorization
is the next step after Authentication
. It is about permissions/roles/privileges to resources. OAuth
(Open Authorization) is an example of Authorization
I found the analogy from this article really help me.
Consider a person walking up to a locked door to provide care to a pet while the family is away on vacation. That person needs:
- Authentication is in the form of a key. The lock on the door only grants access to someone with the correct key in much the same way that a system only grants access to users who have the correct credentials.
- Authorization is in the form of permissions. Once inside, the person has the authorization to access the kitchen and open the cupboard that holds the pet food. The person may not have permission to go into the bedroom for a quick nap.
So in short, authentication is about user identity while authorization is about user permission.
Imagine that you have registered for a tech conference. You arrive and walk up to the registration table outside to get your conference badge. You have to first show some form of identification, such as a driver's license. Your driver's license identifies you (with your picture, for example) and is distributed by a trusted entity (the DMV). This is authentication.
The person hands you your badge, which is red, blue, or green. Walking around inside the conference, some of the exhibits are color-coded. With a green badge, you can enter the green exhibits, but not the blue or red exhibits. The badge is not distributed by the DMV -- rather, it is distributed by the conference itself, to access conference resources inside the conference hall.
There is not necessarily anything about the badge that identifies you (it may have your name printed on it, but you can easily borrow your friend's blue badge to visit a blue exhibit -- nobody is going to check your name, just the color blue). The color of your badge grants you access to exhibits. This is authorization.
Authentication is the process where identify valid user.
Authorization is the process where validate user access level.
Example for a application User A, B both are authenticate user for Inventory application. Both user can access into Stock but B has some more authorize power for issue items.
精彩评论