An authentication server does a lot of work in the background, but it’s also important to understand what it’s not responsible for.

Authentication vs. authorization

In the examples above, the authentication server took steps to verify the user’s identity and return it to the requesting application. What happens next depends on the application.

Once the application knows who the user is, it usually has to decide what the user can access. This is known as authorization.

Authorization – Authorization refers to the process of verifying what a user has access to.

Authentication is the process of proving identity.

It is easy to confuse authentication and authorization, but it is important to understand the difference. The authentication process does not determine what a user can access.

The authentication server simply verifies the identity of the user and then passes this information back to the application. The application then uses this identity information to determine what the current user can access.

To manage access control, the authentication server will issue access tokens to the client that list what permissions the current user has. If you want to learn more about access tokens, check out the free eBook below. It explains in detail about the popular JSON Web Token (JWT) standard.

So, although these two terms have completely different meanings, the authorization process depends on authentication. Authorization cannot be granted unless the user’s identity is verified.

Since these two processes go hand in hand, it’s common to see a solution that can handle both authentication and authorization. Auth0, for example, is an end-to-end solution that serves as both an authentication and authorization server.