AuthN vs. AuthZ: Understanding the Difference

Authentication and Authorization, also known as AuthN and AuthZ, are two essential terms used in the context of access control, and more specifically, Identity-Access-Management (IAM). Understanding the difference between the two is absolutely crucial. The IAM space can be a bit confusing - and the fact that authentication and authorization sound similar doesn’t help either. Combined, AuthN and AuthZ determine the security of your application - and you can’t build a secure application unless you have configured both correctly.

Is this you?

TLDR - 

The easiest way to distinguish between authentication and authorization is this:

Authentication is about determining who has access to a system, while authorization is about determining what they can do within the system. 

If we look at a simple real-world example - authentication identifies who's at the door and whether they may enter. Authorization deals with deciding what they can do inside the house.

Let’s dive in a little deeper - 

What is Authentication (AuthN)?

Authentication refers to the process of verifying the identity of a user or entity. This is typically done by requiring the user to provide a set of credentials, such as a username and password, to access a system or resource. The authentication process ensures that only authorized users are granted access to sensitive data and systems.

There are several methods used for authentication, including:

• Username and password

• Multi-factor authentication (MFA)

• Biometric authentication (fingerprint, face recognition)

Leading authentication services include:

Auth0, AWS Cognito, SuperTokens, FusionAuth, Magic.link, Stych, Descope.

What is Authorization (AuthZ)?

Authorization is the process of granting or denying access to specific resources based on a user's verified identity. This means that after a user has been authenticated, the system must also determine which resources or data the user is authorized to access. Authorization is often done by assigning roles or permissions to specific users or user groups. 

Authorization is managed through policies - sets of rules that determine what actions or resources a user or system is allowed to access. Common policy models include Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), and Relationship-Based Access Control (ReBAC).

Leading Authorization services include:

Permit.io, AuthZed, Ory Keto, Styra DAS 

Connecting Authentication and Authorization

Now that we understand the difference between authentication and authorization, we need to understand where the two connect. 

Modern authentication solutions gather the relevant information about the user into a passport-like document called a JSON Web Tokens (JWTs). The information within the JWT is signed cryptographically, allowing later recipients of the JWT (mainly the authorization layer and the application itself) to be able to make trustworthy decisions based on the user's identity without having to re-authenticate.

Permit.io integrates with any authentication solution which provides a JWT -

The unique ID of the authenticated user, along with other information like their email and name, can be extracted from the JWT and passed into a “SyncUser” function Permit provides via any of the SDKs and the API. 

Once synced, users can be assigned roles and permissions via Permit, allowing policies to be enforced.

Learn More

Looking to strengthen your AuthN and AuthZ in your application? This article demonstrates how to create comprehensive passkey authentication and fine-grained authorization with Hanko and Permit.io - Reinvent Access Control with Passkeys and Fine-Grained Authorization