A common question that frequently pops up is “what the difference between auth and authorization ?”. Many people are confused by these two terms or tend to mix those up. In this post i will explain it as simple as possible with some small examples.
First of all, both authorization and authentication are two key topics in terms of securing a web applications but are absolutely different from each other.
Authentication is used to verify the identity of the user. That can be accomplished by checking credentials like password and username. If the user puts in the wrong credentials the system will not authenticate the user. There are also more Secure ways than just use a password and a username. As example, some systems provide the usage of Two-Factor or Multi-Factor Authentication. In this scenario, you will have an external token. Only the user owning that token should know the secret provided by that token. A Token can be a simple generated code. Im most cases it is a simple small technical device with a finite number of codes which are generated in in small intervals.
Authorization is what happens after you authenticated yourself on a system. When the identity of the user is detected, the system has to find out which part of the system should be accessible for the user. By determining that the system has to authorize the users some resources. In short: If the user is not allowed to see the admin page or another users data he is not authorized for that part of the system. In most cases the systems uses different groups for access. As example, the admin has the ability to grant other users rights to use some sort of tools or resources that others can not access or use.
As you can see these two topics are very different but are used together. It is important to understand the differences between those two.