DEV Community

Discussion on: Are Websites and Web Applications Different?

yoshida profile image
Masao Yoshida

I haven't thought authentication would separate web apps and websites.
By the way, I will attach more detailed description about authentication and authorization from .

In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.
Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity. Then, when you arrive at the gate, you present your boarding pass to the flight attendant, so they can authorize you to board your flight and allow access to the plane.

Differences between authentication and authorization:

  • Authentication determines whether users are who they claim to be, while authorization determines what users can and cannot access.
  • Authentication challenges the user to validate credentials (for example, through passwords, answers to security questions, or facial recognition), while authorization verifies whether access is allowed through policies and rules.
  • Usually, authentication done before authorization, while authorization done after successful authentication.
  • Generally, authentication transmits info through an ID Token, while authorization transmits info through an Access Token.
  • Generally, authentication governed by the OpenID Connect (OIDC) protocol, while authorization governed by the OAuth 2.0 framework.

For example, employees in a company are required to authenticate through the network before accessing their company email, and after an employee successfully authenticates, the system determines what information the employees are allowed to access.

In short, access to a resource is protected by both authentication and authorization. If you can't prove your identity, you won't be allowed into a resource. And even if you can prove your identity, if you are not authorized for that resource, you will still be denied access.

It would appreciate if this comment could help your understanding even a little.