Back to Blog

Authentication vs. Authorization

A minimally technical introduction to the difference between AuthN and AuthZ
profile picture
Ned O'Leary
X GitHub
Cofounder and CEO, SSOReady

Given you’re reading this article, you’ve likely heard someone talk about Auth as it relates to software. Somewhat confusingly, Auth as an umbrella term can describe two related but distinct concepts: Authentication and Authorization. I’ll do my best here to explain both concepts without technical details.

An example without software

Here’s a relevant scene from the TV show Silicon Valley.

You’ll see Gavin stroll into the Hooli offices with confidence, ID badge in hand. But when he scans the ID badge, Hooli’s systems reject his access! A moment later, Jack’s ID badge unlocks the boardroom door without a hitch.

Now, both of their ID badges equally communicate their identities. Gavin’s ID badge proves that he’s actually Gavin. Jack’s ID badge does the same thing; it tells the system who he is.

So what’s the difference between Gavin and Jack here? Their identities confer different permissions. Since the Hooli board has fired Gavin, the security system knows not to unlock the door for him.

The security system essentially asks two questions for every badge swipe: Who is this person? Does this person have access privileges?

Authentication answers the first question, confirming an identity. Once an identity has been established, Authorization answers the second question, confirming permissions.

Back to software

We have lots of ways to establish identity in software. Conventionally, an application might authenticate users with a username and a password, treating a user’s knowledge of the password as sufficient proof of their identity. We might alternatively use a single sign-on protocol like OAuth or SAML.

Software often uses different tools for authentication and authorization. For example, if you access an application via Sign in with Google, Google will authenticate you and share an OAuth token with the application. The application might then create a JSON Web Token, which it will use to confirm your rights to access certain resources in the application.

Authentication and authorization are closely related. Just remember that authentication pertains to identity, and authorization pertains to permissions.