Authentication 和 Authorization 的区别

Posted 2022-05-28 石头StoneWang

Authentication 和 Authorization 的区别

背景

我们经常会遇到这两个单词，有些人会有疑惑，但其实他们区分还是比较清晰的。

本人用大白话，用我自己的理解写出

区别

• authentication：是说 “鉴权” 的意思，主要是验证你是谁的问题。一般通过用户名和密码登录来确定你是谁，因为你知道用户名和密码所以你就是这个用户名所代表的人
• authorization：这个一般和 “授权” 有关，你没有authorization去做某个事情，意思是你没权限，并不是说不能确定你是谁

补充

那为什么是 401 是 Unauthorized 而不是 Unautheticated 呢？

这个其实是当初定义这个HTTP Status code的时候搞错了，参考

PS: 关于http的乌龙还有，把请求头的Referrer错误拼写成Referer！只能一直错下去了！

There's a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticate header that describes how to authenticate.

This is a response generally returned by your web server, not your web application.

It’s also something very temporary; the server is asking you to try again.

So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401.

Receiving a 403 response is the server telling you, “I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes.”

In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.