What is Authentication

• The process or action of verifying the identity of a user (person or device)
• In computing, authentication is the process of verifying the identity of a person or device. A common example is entering a username and password when you log in to a website

Authentication is the act of validating that users are who they claim to be. Passwords are the most common authentication factor—if a user enters the correct password, the system assumes the identity is valid and grants access.

See:

• Authentication in Web Applications

What Is Authorization?

• Authorization is the process of giving someone permission to do or have something
• Authorization is the function of specifying access rights/privileges to resources, which is related to information security and computer security in general
• Authorization is a security mechanism to determine access levels or user/client privileges related to system resources including files, services, computer programs, data and application features

Authorization in system security is the process of giving the user permission to access a specific resource or function. This term is often used interchangeably with access control or client privilege

Authentication vs. Authorization

Authentication is who you are & Authorization is what you can do. Authorization depends on authentication but they are not interchangeable.

Authentication is the process of verifying an identity. We are confirming that they are who they say they are, and typically we see authentication when a user provides something they know, such as username and password.

Authorization, on the other hand, is the process of verifying what someone is allowed to do. It is permissions and access control.

Courtesy: https://www.bu.edu/tech/about/security-resources/bestpractice/auth/

Authentication

Authentication is used by a server when the server needs to know exactly who is accessing their information or site. Authentication is used by a client when the client needs to know that the server is system it claims to be. In authentication, the user or computer has to prove its identity to the server or client. Usually, authentication by a server entails the use of a user name and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints. Authentication by a client usually involves the server giving a certificate to the client in which a trusted third party such as Verisign or Thawte states that the server belongs to the entity (such as a bank) that the client expects it to. Authentication does not determine what tasks the individual can do or what files the individual can see. Authentication merely identifies and verifies who the person or system is.

Authorization

Authorization is a process by which a server determines if the client has permission to use a resource or access a file. Authorization is usually coupled with authentication so that the server has some concept of who the client is that is requesting access. The type of authentication required for authorization may vary; passwords may be required in some cases but not in others. In some cases, there is no authorization; any user may be use a resource or access a file simply by asking for it. Most of the web pages on the Internet require no authentication or authorization.

Using claims for access control in AspNetCore

• WebApp
  • When user logs in, IdentityUser (User) will be instantiated and will be available to controllers and razor views (+ razor pages)
  • Use [Authorize("fooClaim")] annotation => AspNetCore Identity check role of current user (using IdentityUser instance)
• API
  • Configure ApiResources in Identity Provider (IDP) such that IDP includes ‘role’ claim in Access Token
  • Client uses Access Token to consume API
  • API (AspNetCore App) uses [Authorize("fooClaim")] annotation => AspNetCore Identity check role of current user (extracting role claim from Access Token)
  • OpenID Connect middleware helps AspNetCore Identity to extract role form Access Token

Note: in AspNetCore, ‘attribute based’ / ‘claim based’ access control is prefferd over role based access control