Authentication and Authorization are core concepts of API security we use to secure resource access.
-
Let’s say you want to watch a movie at a nearby theater. You do three things:
1. You buy a ticket at the ticket counter
2. Show it to the personnel at the entrance
3. Enter the auditorium and watch -
Any person who doesn’t possess a (valid) ticket can’t enter the auditorium. In other words, a ticket means that you are "authenticated" to enter the screen and no ticket means you are unauthenticated. This is "Authentication".
-
An auditorium would contain many "classes" of seats (like economy, first-class or diamond or so on..) and the ticket you just bought would belong to some class.
-
You’d have to sit only on the class where you’re ticket belongs to. It means you’re only allowed to do something (sit in a certain class) although you’re allowed to watch. This is called "Authorization".
-
The ability to enter is "Authentication", while the ability to access is "Authorization". A Request may be "Authenticated" to access an API, but may not be "Authorized" to access it.
-
A Request "must be Authenticated" in order to be "Authorized". A Request subject to "Authorization" would already be "Authenticated".
