As a developer, authorization and authentication are two terms that you might have come across. Although they are related, they mean different things, confusing if the basic idea is not well understood.
To define it,
authentication answers the question,
'Who are you?' while
authorization answers the question;
'What are you allowed to do?'.
Authentication can be defined as the process of verifying that the user is whom they say they are.
Some common examples of authentication are
- password authentication
- biometric authentication
- multi-factor authentication
Authorization is the process of allowing users to perform specific actions based on the permission(s) they have. An example is a role-based authorization. Allowing different users to perform specific actions based on their roles; user or admin.
We can try to understand these concepts better with this scenario.
Before you board a plane, you have to show a means of identification along with your boarding pass to show that you are whom you say you are; this is authentication. The flight attendant verifies the details you give them, and then if it matches, you are allowed to board.
Once you have successfully boarded, you cannot tell the crew member you would like to fly the plane because you are not allowed to as a passenger. You do not have the permission and the authorization to do so. Only an authorized pilot can do so.
So this explains the difference between authentication and authorization.