Authentication vs Identification vs Authorization

Fleeting

There are a few misunderstanding between those terms that lead to difficult discussions.

• authorization deals with accessing data, no matter who or what. There is no universal schema to represent all the kinds of data that were, are and will be, hence defining this schema is not a topic of authorization.
• identification is about accessing a specific kind of data: information about the user identity. There is a consensus about this kind of data, making room for a specific standard, like OpenID Connect.
• authentication is about making sure that the same people connect from one time to another. There are several factors that can be used and have different compromises in the security vs user experience balance.
  • one factor: have a proof that the entity has the same knowledge (like a password),
  • two factor: + have a proof that the entity has the same device (like a personal security device),
  • three factor: + have a proof that the entity has the same properties (like a fingerprint),
  • four factor: + have a proof that the entity is in the same location (like a wifi network),

Therefore, authentication is not at all about knowing the identity of the user and identification is not about finding out whether the same user connected this time.

Most people claim they do authentication with OpenID Connect. That is not totally false, as this is the protocol they used to get the information about the authenticated user. Yet it makes it unclear that a third party actually use a dedicated protocol to perform the authentication.

misconceptions

There are a lot of resources, even from apparently serious website, that make the confusion. No wonder why most people don’t understand those concept well.

For instance, nestjs says this

Once authenticated, the server will issue a JWT that can be sent as a bearer token in an authorization header on subsequent requests to prove authentication

— https://docs.nestjs.com/security/authentication

The fact that they claim that the authentication proof is given in a field called authorization does not seem to bother them. Plus, they refer to the bearer token rfc of OAuth 2, a protocol that clearly stipulates that it does not deal with authentication.

As if this was not enough, there are also confusions between permission vs authorization.

Notes linking here

• client get proof of authentication by asking for it
• misconcetions
• OAuth Sketch Notes Q&A - PKCE, Scopes, Security, Passwordless
• OpenIDconnect with Mike Jones

Permalink