Securityeasy

Authentication vs authorization — what’s the difference, with examples?

Answer

Authentication proves who the user is (e.g., password, OAuth, MFA). Authorization decides what they can do (e.g., role can edit invoices). AuthN comes before AuthZ.

Advanced answer

Deep dive

AuthN answers "who are you?"; AuthZ answers "are you allowed?":

AuthN: passwords, SSO, MFA, device or token-based identity.
AuthZ: roles (RBAC), attributes (ABAC), ownership checks, tenant boundaries.
Every request should re-check authorization, not just at login.
Least privilege and explicit deny rules reduce blast radius.

Examples

User logs in with OAuth (AuthN), receives a token, then the API checks role + resource ownership (AuthZ):

GET /invoices/123
AuthN: valid token for user=42
AuthZ: user=42 owns invoice=123 OR has role=finance_admin

Common pitfalls

Trusting client-side role checks only.
Using broad roles instead of resource-level checks.
Returning 403/401 inconsistently (leaks info).

Interview follow-ups

When would you choose RBAC vs ABAC?
How do you enforce multi-tenant isolation?
How do you test authorization rules?