A Party analogy to understand Authentication VS Authorisation
Assuming you’ve watched the hit Netflix series Lucifer, let’s say Lucifer arrives to a party. He arrives at the entrance and nobody stops him from entering because well, he freaking owns the nightclub — LUX! Lucifer actually lives in the penthouse of the building. So, it goes without saying that he has access to every nook and corner of Lux.
On the contrary, if you were to enter Lux, you would have to first acquire a pass and get past through the security at the entrance; ergo, you would need to “authenticate yourself” as somebody who has paid and has permission to enter the nightclub. If you were let in, it basically means that you were authenticated and you’re free to wander and have fun in Lux (assuming you did not bribe the bouncers, if you did though, wouldn’t that be “hacking” your way in? 😂 Let me know in the comments).
Moving on,
As you’re partying, you see a VIP section and try to get in but you’re immediately stopped and asked to see if you have permission to enter. You tell them you have already shown your pass at the entrance, that you have already been “authenticated”, but that doesn’t cut it; ergo, you do not have permission or you have no proper authorisation to access the VIP section.
Authentication:
Receiving a 401 response is the server telling you, “you aren’t authenticated — either not authenticated at all or authenticated incorrectly — but please re-authenticate and try again.”
Authorisation:
Receiving a 403 response is the server telling you, “I’m sorry, I know who you are — I believe who you say you are — but you just don’t have permission to access this resource.
Important note:
What you also have to understand from this example is this:
There is no Authorisation without Authentication
Makes sense?
Let’s recap
A 401 Unauthorised response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorised to perform the requested operation on the given resource.
I’ll see you in my next post. Till then, keep learning and have fun while you’re at it.
Keep on Hacking!
PS: I’m not a subject matter expert in any of these areas but I am learning. So, if you find any mistakes or have any suggestions, please leave a comment.
