5.1.1. Authentication and authorization basics

Authentication is a method to ensure that certain services (access to a server, etc.) can be used only by the clients allowed to access the service. The process generally called as authentication actually consists of three distinct steps:

  • Identification: Determining the clients identity (e.g.: requesting a username).

  • Authentication: Verifying the clients identity (e.g.: requesting a password that only the real client knows).

  • Authorization: Granting access to the service (e.g.: verifying that the authenticated client is allowed to access the service).

    Note

    It is important to note that although authentication and authorization are usually used together, they can also be used independently. Authentication verifies the identity of the client. There are situations where authentication is sufficient, because all users are allowed to access the services, only the event and the user's identity has to be logged. On the other hand, authorization is also possible without authentication, for example if access to a service is time-limited (e.g.: it can only be accessed outside the normal work-hours, etc.). In such situations authentication is not needed.