Authentication vs Authorization


Authentication is the act of proving or establishing a user's identity. In most applications this manifests itself as "log in", and verifies to the application which "entity" (typically a user) is accessing the application.


Authorization is the act of proving that an entity (user) has permission to access a resource, perform some action, or is otherwise permitted somewhere.

In most applications, authorization is handled by having inline permissions checks, where code will check the user’s permission before performing an action or returning some data:

if user.can_view(resource):
return resource