Identification vs. authentication vs. authorization

I sometimes notice the words "authentication" and "authorization" being used interchangeably. They sound similar to each other, they are both related to security, the HTTP specification names a header field that "allows a user agent to authenticate itself with an origin server" and has a value that "consists of credentials containing the authentication information of the user agent for the realm of the resource being requested" Authorization1 instead of calling it Credentials or Authentication at worst. So there is no wonder these words are confused sometimes.

Lately, I have been doing security-related work, and documenting was a part of the task. I had to define some commonly used security-related terms and decided to save the definitions for myself and others here. I also recommend looking at Java Authentication and Authorization Service (JAAS) Reference Guide and Oracle WebLogic Server Glossary.

Contents
  1. Subject
  2. Security domain
  3. Identity
  4. Principal
  5. Credential
  6. Identification
  7. Authentication
  8. Authorization

Subject

Subject — an entity that interacts with objects. In other words, the source of a request to the system, e.g., a person or another system.

See also JAAS subject, javax.security.auth.Subject.

Security domain

Security domain/realm — a set of subjects and objects the subjects can act upon, and security policies applied to them.

See also WebLogic security realm.

Identity

Identity — data that distinguishes an entity (either a subject or an object) from other entities within a given scope, i.e., within a set of security domains.

Note that a subject may have multiple identities, e.g., a login name or a Social Insurance Number (SIN)2.

Principal

Principal — the identity of an authenticated subject.

See also JAAS principal, java.security.Principal, WebLogic principal.

Credential

Credential — a security-related attribute of a subject that may be used to authenticate the subject.

A subject may have multiple credentials, which may be either public or private, i.e., requiring special protection. For example, a password is a private credential, while a login name is a public credential. Note that a login name is also an identity and it is not unusual for an identity to be used as a public credential.

Identification

Identification — a process of unambiguous differentiation of a subject from other subjects.

For example, when I hear the name "Doug Lea" I can unambiguously differentiate (identify) that this name (identity) belongs to a professor of computer science specialized in concurrent programming, whose name is Doug Lea (subject). There are many humans with this name, but I have knowledge about only one of them (my security domain contains a single subject with the name "Doug Lea"). If I knew more than one human named "Doug Lea", then this name alone would not have been enough to identify the subject, but both a name and a birth date could have been sufficient.

Authentication

Authentication — a process of verifying the identity of a subject.

In other words, authenticating means determining whether a subject is in fact what it claims to be.

Consider the following example. A man (subject) tells me that his name is "Doug Lea" (claimed identity), and I can identify that this name belongs to a professor of computer science specialized in concurrent programming, whose name is Doug Lea. At this point, I cannot be sure the man who claims that he is Doug Lea is actually a man that is identified by me as professor Doug Lea. In order to be sure, I would need to, for example, look at his face (credentials) and compare it with the mental image I have—if they match, then I successfully authenticated the subject. If we were to communicate over the Internet without the ability to transmit images, then in order to prove the identity3 he could have done something that only the Doug Lea I have knowledge about could do, e.g., add the random text I sent him to the Doug Lea's home page.

See also WebLogic authentication.

External authentication, a.k.a. perimeter authenticationauthentication that occurs outside the system that is being accessed. The external system that performs the authentication is usually called an identity provider or authentication agent/server and is trusted by the system that is being accessed. The identity provider communicates the result of successful authentication, which includes the identity of the authenticated subject, to the system via an artifact that is usually called a token or an assertion. A token may contain information that is used by the system to verify its authenticity, i.e., that it was created by the trusted identity provider.

Single sign-on (SSO) is implemented by utilizing the external authentication approach, but this approach may often be used just to move the authentication burden to a different system. Kerberos, LDAP authentication, RADIUS, OpenID are all examples of external authentication.

See also WebLogic perimeter authentication.

Authorization

Authorization — a process of establishing whether a subject is allowed to do the requested action according to the security policies.

Identification, authentication, and authorization are crucial parts of implementing access control in a system.

  1. The HTTP/1.1 Authorization header field was a part of HTTP/1.0 and is also a part of HTTP/2 specification according to the section 8. HTTP Message Exchanges:

    "the specification and requirements of HTTP/1.1 Semantics and Content [RFC7231], Conditional Requests [RFC7232], Range Requests [RFC7233], Caching [RFC7234], and Authentication [RFC7235] are applicable to HTTP/2. Selected portions of HTTP/1.1 Message Syntax and Routing [RFC7230], such as the HTTP and HTTPS URI schemes, are also applicable in HTTP/2"

  2. How fucking brain-damaged should meat bags, a.k.a. humans, be to use in 2020 an identity which at the same time acts as a private credential, which its owner must both protect and share with many unrelated parties? Though, taking into account how humans perverted the concept of money, it is clear, that human stupidity is infinite. 

  3. This example turned out to be silly to an extent. We have never actually communicated, and I believe Doug Lea has more interesting and important things than communicating with me, let alone proving his identity to me.