I decided to write this small post up because I get AUTHentication and AUTHorization confused a lot and want to help make it more clear for anyone else struggling.
Authentication and authorization are two related words that are often used interchangeably, but mean different things and have very functionality within a system.
Authentication is the act of validating that users are who they claim to be.
Validating authenticity can be accomplished by having something physical like a key card, by having a user login with passwords or 2FA, utilizing Captcha tests, or even biometrics for a user.
Authentication is used in conjunction with authorization usually as it is important to authenticate that a user is who they say they are before giving the authorization.
Authorization is a process of giving a user permission to access a specific resource(s) or function(s).
Authorization levels are the difference between a general user and an admin user. An admin user will have more abilities that a general user and it is important to authorize the rolls properly to ensure general users don't accidently, or intentionally, harm a system.
Keep in mind that authentication is not 100% needed to gain authorization. This depends on the system and what information/abilities the systems has if it needs different levels of authorization and where authentication is needed.
Think about a blogging platform...
-Everyone should have access to read public posts.
-Users should need to authenticate themselves as users to post a blog and not post as someone else.
-Admins should need a different level of authorization, after they authentication themselves, to monitor the platform, the associated database, and its users activity.
In this case authentication is needed before authorization is given to ensure users can't post a blog as a different user and users can't modify things like admins.
- Security+ cert book
- Web Application Hackers Handbook