<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1063935717132479&amp;ev=PageView&amp;noscript=1 https://www.facebook.com/tr?id=1063935717132479&amp;ev=PageView&amp;noscript=1 "> Taxonomy: AuthN vs. AuthZ

Taxonomy: AuthN vs. AuthZ

Two words sit at the center of IAM and get mixed up constantly because they both start with "auth." Pin them down first; everything else is a variation on one or the other.

Authentication vs. Authorization

  • Authentication (AuthN) : who are you? Proving identity: a password, a magic link, a fingerprint, a token. The output is "this request is from user 1138."
  • Authorization (AuthZ) : what are you allowed to do? Deciding whether that identity may perform an action: read this document, delete that user, access the admin panel.

Authentication always comes first. You can't decide what someone may do until you know who they are, but they're separate systems. You can be authenticated and still forbidden.

HTTP even has separate status codes for the two, and their names are famously misleading:

  • 401 Unauthorized actually means not authenticated: we don't know who you are. Log in.
  • 403 Forbidden means authenticated but not authorized: we know who you are, and you still can't do this.

That split is also this course's map. The next two lessons live on the AuthN side: how a login becomes a credential that keeps you authenticated, and where a browser can safely keep it. Then one lesson on the AuthZ side: deciding what an authenticated user may do. The final two widen the frame: proving identity across services (OAuth and OIDC), then across a whole company (SAML and LDAP).

Check your understanding

Question 1 of 5

401 or 403?

A request arrives with no token at all. The server has no idea who the caller is. Which status code should it return?