问题
What\'s the difference in context of web applications? I see the abbreviation \"auth\" a lot. Does it stand for auth-entication or auth-orization? Or is it both?
回答1:
Authentication is the process of ascertaining that somebody really is who they claim to be.
Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorised to read.
The two concepts are completely orthogonal and independent, but both are central to security design, and the failure to get either one correct opens up the avenue to compromise.
In terms of web apps, very crudely speaking, authentication is when you check login credentials to see if you recognize a user as logged in, and authorization is when you look up in your access control whether you allow the user to view, edit, delete or create content.
回答2:
In short, please. :-)
Authentication = login + password (who you are)
Authorization = permissions (what you are allowed to do)
Short "auth" is most likely to refer either to the first one or to both.
回答3:
As Authentication vs Authorization puts it:
Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:
- Who is the user?
- Is the user really who he/she represents himself to be?
Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:
- Is user X authorized to access resource R?
- Is user X authorized to perform operation P?
- Is user X authorized to perform operation P on resource R?
See also:
- Authentication vs. authorization on Wikipedia
回答4:
I prefer Verification and Permissions to Authentication and Authorization.
It is easier in my head and in my code to think of "verification" and "permissions" because the two words
- don't sound alike
- don't have the same abbreviation
Authentication is verification and Authorization is checking permission(s). Auth can mean either, but is used more often as "User Auth" i.e. "User Authentication"
回答5:
The confusion is understandable, since the two words sound similar, and since the concepts are often closely related and used together. Also, as mentioned, the commonly used abbreviation Auth doesn't help.
Others have already described well what authentication and authorization mean. Here's a simple rule to help keep the two clearly apart:
- Authentication validates your Identity (or authenticity, if you prefer that)
- Authorization validates your authority, i.e. your right to access and possibly change something.
回答6:
I have tried to create an image to explain this in the most simple words
1) Authentication means "Are you who you say you are?"
2) Authorization means "Should you be able to do what you are trying to do?".
This is also described in the image below.
I have tried to explain it in the best terms possible, and created an image of the same.
回答7:
Authentication is the process of verifying the proclaimed identity.
- e.g. username/password
Usually followed by authorization, which is the approval that you can do this and that.
- e.g. permissions
回答8:
Adding to @Kerrek's answer;
Authentication is Generalized form (All employees can login in to the machine )
Authorization is Specialized form (But admin only can install/uninstall the application in Machine)
回答9:
Authentication is the process of verifying your log in username and password.
Authorization is the process of verifying that you can access to something.
回答10:
Definitions
Authentication - Are you the person you claim to be?
Authorization - Are you authorized to do whatever it is you're trying to do?
Example
A web app uses Google Sign-In. After a user successfully signs in, Google sends back:
- A JWT token. This can be validated and decoded to get authentication information. Is the token signed by Google? What is the user's name and email?
- An access token. This authorizes the web app to access Google APIs on behalf of the user. For example, can the app access the user's Google Calendar events? These permissions depend on the scopes that were requested, and whether or not the user allowed it.
Additionally:
The company may have an admin dashboard that allows customer support to manage the company's users. Instead of providing a custom signup solution that would allow customer support to access this dashboard, the company uses Google Sign-In.
The JWT token (received from the Google sign in process) is sent to the company's authorization server to figure out if the user has a G Suite account with the organization's hosted domain (email@company.com)? And if they do, are they a member of the company's Google Group that was created for customer support? If yes to all of the above, we can consider them authenticated.
The company's authorization server then sends the dashboard app an access token. This access token can be used to make authorized requests to the company's resource server (e.g. ability to make a GET request to an endpoint that sends back all of the company's users).
来源:https://stackoverflow.com/questions/6556522/authentication-versus-authorization