Authentication versus Authorization

Authentication

Authentication means giving a user basic access to an application.

Whenever you log in to Facebook, you get authenticated by Facebook’s backend. Only then will you be able to view posts, create posts, etc.

Authorization

Authorization means elevating a user’s access to certain parts of a system. An example of authorization is a subscription upgrade in a service like Educative.io.

Without a subscription, a user will be limited to free courses. A subscription elevates their access to paid courses.

Levels of authorization

Different levels of authorization exist within systems.

In Discord, for example, a user can be granted access to delete messages in a single channel. Another user may have access to delete messages in all channels.

Is authorization a subset of authentication?

We can’t speak about authorization without talking about authentication. Authorization depends on authentication, but it isn’t strictly a subset of it.

Authorization is usually present in apps; even simple ones like blogs and to-do lists. Without authorization in place, user A can view user B’s data. This is an infringement of privacy and must be avoided.