Authentication and Authorization in DDD
José Luis Martínez de la
1213

What if we define some Ubiquitous Language in the context of the next blogging platform:

Author — existing user in the next blogging platform. It is Entity with unique identifier of authorId;
Blog — specific area of blogging platform containing posts. It is Entity with unique identifier of blogId;
Collaborator — Author who can create the posts to the given Blog;

Then the Authentication could be described as a process to identify the Author (using its identifier).

The Authorization — process to check if the Author is Collaborator in the given Blog.

If we go with this kind of Authentication/Authorization definition, then your first version likely to leak the domain logic outside your Bounded Context (which could be defined as boundaries of ApplicationService). So, second one looks better for me.

However you shouldn’t forget that the Authentication/Authorization may have it’s own definition in Web, REST and Console application contexts (BTW, Console runs under some credentials which could be used in process of Authentication/Authorization as well).