What is the difference between authentication and authorization?

Authentication and authorization are distinct but interdependent security processes, with authentication verifying an entity's identity and authorization determining what that authenticated entity is permitted to access or do. Authentication acts as the initial gate, establishing *who* you are through the presentation and validation of credentials, such as a username and password, a biometric scan, or a security token. This process creates a trusted identity for the session. Authorization follows, functioning as the rule engine that dictates *what* that now-trusted identity is allowed to perform within a system. It is the mechanism that enforces policies, checking permissions against an access control list or a role-based policy to grant or deny specific requests for resources or actions. The fundamental difference is that authentication is about proving identity, while authorization is about granting permissions to that proven identity.

The technical mechanisms for each process are typically separate. Authentication systems often rely on protocols like OAuth 2.0 (which, despite its name, is primarily an authorization framework used for delegation, with OpenID Connect built on top for authentication), SAML, or Kerberos to validate credentials against an identity store. A successful authentication event usually results in a security token or session identifier. Authorization then uses this token, alongside the request context, to make access decisions. This can be implemented through role-based access control (RBAC), where permissions are tied to job functions, attribute-based access control (ABAC), which uses a set of attributes about the user, resource, and environment, or simpler access control lists (ACLs) on individual objects. The authorization layer is what prevents an authenticated user in the "customer" role from accessing an administrative API endpoint, even though their identity is perfectly valid.

In practical application, a failure in either process compromises security, but the implications differ. A broken authentication mechanism allows impersonation and full system compromise from the outset, as an attacker can assume any identity. A flawed authorization model, however, can lead to privilege escalation, where a legitimate, low-privilege user can perform unauthorized actions, such as horizontal movement (accessing another user's data) or vertical movement (gaining administrative rights). Modern architectures often decouple these functions; a central identity provider (IdP) handles authentication, issuing standardized tokens to various applications, which then independently evaluate those tokens for authorization based on their own internal policies. This separation is critical for scalable, maintainable security in distributed systems, ensuring that a single, robust authentication service can feed into numerous, context-specific authorization schemes across different domains and applications.