← Back to Security

Authentication vs Authorization

SecurityEntrysecurity

The Question

What is the difference between authentication and authorization?

What a Strong Answer Covers

  • authentication = identity (401)
  • "authorization = permissions (403)

Senior-Level Answer

Authentication (AuthN) and authorization (AuthZ) are sequential security steps that are often confused but solve distinct problems.

Authentication answers: who are you? It is the process of verifying that a claimed identity is genuine. A user presents credentials — a password, a cryptographic key, a hardware token, a biometric — and the system validates them against a stored record. Successful authentication establishes an authenticated identity. Mechanisms: password + hash comparison (bcrypt/argon2 on server side), OAuth 2.0 + OIDC for delegated authentication (Google/GitHub login), SAML for enterprise SSO, WebAuthn for passkeys, mutual TLS for service-to-service. After authentication, a session token or JWT is issued to represent the authenticated identity for subsequent requests.

Authorization answers: what are you allowed to do? It occurs after authentication and determines whether the authenticated identity has permission to perform a specific action on a specific resource. A user might be authenticated (the system knows who they are) but unauthorized to access a particular resource (they lack the required permission). Mechanisms: Role-Based Access Control (RBAC — roles assigned to users, permissions assigned to roles), Attribute-Based Access Control (ABAC — policies evaluate attributes of user, resource, and context), ACLs (per-resource permission lists), OAuth 2.0 scopes (token carries permitted actions). In REST APIs, authorization checks typically happen after validating the request's JWT/session token.

The practical consequence of conflating them: a system that only authenticates (checks that the user is logged in) but doesn't enforce fine-grained authorization will allow any authenticated user to access any resource — a classic BOLA (Broken Object Level Authorization) vulnerability. An attacker who is legitimately authenticated as user A modifies a request to access user B's data, and the server checks authentication (token is valid) but not authorization (does this token's user own this resource?).

The two-step flow in a typical web API: request arrives with a Bearer token → authentication middleware validates the token's signature and expiry → authorization layer checks whether the identity in the token has permission for the requested operation → request handler executes. These are separate concerns implemented at separate layers.

Key Differences

AspectAuthenticationAuthorization
Question answeredWho are you?What are you allowed to do?
OrderFirst stepAfter authentication succeeds
Failure result401 Unauthorized403 Forbidden
Common mechanismsPassword, OAuth/OIDC, WebAuthn, mTLSRBAC, ABAC, ACLs, OAuth scopes
Token roleEstablishes identity (JWT, session)Token carries claims/scopes for authz checks
Attack if missingImpersonation, credential theftBroken object-level authorization (BOLA/IDOR)

What Separates a 2/3 from a 3/3

2/3 — Passing but Incomplete

Correctly defines both terms with concrete examples, explains the sequential dependency (authz follows authn), and distinguishes 401 from 403 HTTP responses.

3/3 — Strong Answer

All of the above plus: names specific mechanisms for each (OAuth/OIDC for authn; RBAC/ABAC for authz), explains BOLA/IDOR as the vulnerability from missing authorization checks, and describes where each check happens in a typical request pipeline.

Common Mistakes

  • Saying 401 means 'not authorized' — 401 means not authenticated (the name is misleading). 403 means authenticated but forbidden.
  • Treating authentication as sufficient security — missing that authorization is the critical second check that prevents authenticated users from accessing each other's data.
  • Not knowing RBAC or ABAC — naming 'permissions' without any model for how permissions are structured signals shallow knowledge.
  • Conflating OAuth with authentication — OAuth 2.0 is an authorization framework; OpenID Connect (OIDC) is the authentication layer built on top of it.

Follow-Up Questions

  • What is BOLA (Broken Object Level Authorization) and give an example? — User A is authenticated, sends GET /orders/456 where 456 belongs to User B. Server checks that the token is valid but not that the token's user owns order 456. OWASP API Security #1.
  • What is the difference between OAuth 2.0 and OpenID Connect? — OAuth 2.0 is an authorization framework — grants access tokens for resource access. OIDC adds an identity layer on top, issuing ID tokens (JWTs) that assert who the user is.
  • How does RBAC differ from ABAC, and when would you choose ABAC? — RBAC assigns permissions to roles. ABAC evaluates policies against attributes (user department, resource owner, time of day). ABAC is more flexible but more complex; use when RBAC becomes unwieldy.
  • Why does the HTTP spec name 401 'Unauthorized' when it means unauthenticated? — Historical naming confusion in the original HTTP spec. 401 requires authentication (WWW-Authenticate header must be present). 403 means the server understood the request but refuses it regardless of credentials.

Related Questions

  • JWT — 3 Parts, Signing, Revocation
  • SQL Injection
  • CSRF
  • XSS
  • OAuth 2.0 — Authorization Code Flow

Can You Explain This Cold?

Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.

Get Graded — Free Assessment
GrindQuestionsAITechnical interview assessment
TermsPrivacyAbout