Authentication vs authorization

Authentication vs authorization
Photo by Daniel Chen / Unsplash

2022-01-04: Revised post and re-wrote some parts to make the analogy better
2022-06-15: Revised and exchanged the word "chip" for "tag"

Overview

I remember how much I struggled to learn the difference between these two terms. Authentication and authorization sounds so similar yet are so different. And instead of talking about API's straight away, here's my way of describing it that hopefully will make it clear to you.

Apartments as an example

Imagine you have this apartment house in front of you:

St,John’s Wood, London, UK
Photo by london.nanzhi / Unsplash

In front of the apartment house there is an entrance. Now inside this apartment house there are plenty of apartments. Although most buildings in the world still probably use physical keys, let's for the sake of simplicity assume that the key for this building is a tag you can attach to your physical keychain.

If you buy or rent an apartment then the landlord will identify you by looking at your id or passport or something similar. Once identified, or authenticated that is, you will be given a tag that is required for entrance into the apartment house. Possessing that tag means you’re authorized for entrance into the apartment house.

Two important things to note here is that you are (1) known to the landlord i.e. authenticated and (2) have access to the main entrance i.e. are authorized.

On your first visit you successfully enter the main entrance but you realize your tag doesn't work for your apartment. You call the landlord and he replies that he forgot to authorize you to your apartment. Fortunately he can authorize you remotely straight away, and your next try your tag works and you can successfully enter your apartment. This was not authentication, because you were already known to the landlord and had the tag, but instead was a pure authorization step in which he granted you access to another resource (your apartment).

All tenants are authenticated. They are also authorized to enter the main entrance, but each one is only authorized to access their own apartment. The landlord is authorized to enter the main entrance but also authorized to enter all apartments. Same building and authentication, but different authorization.

I deliberately chose to represent the key as a tag in order to more easily separate the terms authentication and authorization. If the key would have been a physical key - which probably better reflects real life for most people - you would be authenticated and authorized at the time the landlord hand overs the physical key to you.

Apartments vs API's

Now imagine your apartment house is an API, and each apartment corresponds to an endpoint. Just because you're authenticated to the API it does not mean you can call any endpoints. Which endpoints or apartments you have access to is authorization. In the case of some API's, you will be forbidden from calling some endpoints much the same way in our apartment example where you are forbidden to access your neighbours apartments.

Usually there is exactly one door in which through you enter the apartment. If the apartment would have two or more doors to enter it, you would of course have access to all doors (authorization to the apartment gives you access to all doors for that apartment). This corresponds to the case where you have a group of endpoints that are relevant for your to achieve your use case - of course you'll be authorized to access all those endpoints and not just one.

Summary

Tricky terms to learn, but hopefully now it's a bit more clear what the difference is.
Authentication just verifies your identity, whereas authorization grants you access to something.