Authorization and Authentication are two distinct concepts that are often used together but serve different purposes:
Authentication (Who are you?)
- Purpose: Verifies the identity of a user or system.
- Typical actions: Logging in with a username/password, biometric data, tokens, etc.
- Question answered: Is this person who they claim to be?
- Example: You enter your email and password to log into a website.
Authorization (What can you do?)
- Purpose: Determines what an authenticated user is allowed to do.
- Typical actions: Checking permissions, roles, access control lists (ACL).
- Question answered: Is this person allowed to access this resource or perform this action?
- Example: You’re allowed to read your emails, but not access the admin panel.