在web应用程序中有什么不同?我经常看到缩写“auth”。它是代表认证还是授权?或者两者都有?


当前回答

身份验证是验证您的登录用户名和密码的过程。

授权是验证您是否可以访问某些内容的过程。

其他回答

身份验证是验证您的登录用户名和密码的过程。

授权是验证您是否可以访问某些内容的过程。

假设你注册了一个技术会议。你到了,走到外面的登记桌前领取你的会议徽章。你必须先出示某种形式的身份证明,比如驾照。你的驾照可以识别你的身份(比如你的照片),并由一个受信任的实体(车管所)分发。这就是身份验证。

工作人员将你的徽章交给你,徽章是红色、蓝色或绿色的。在会场内走一圈,你会发现一些展品都是用颜色标注的。有了绿色徽章,您可以进入绿色的展品,但不能进入蓝色或红色的展品。徽章不是由DMV分发的,而是由会议本身分发的,用于访问会议厅内的会议资源。

徽章上不一定有任何可以识别你的东西(徽章上可能印着你的名字,但你可以很容易地借用你朋友的蓝色徽章去参观蓝色展览——没有人会检查你的名字,只有蓝色)。你徽章的颜色允许你进入展品。这就是授权。

  Authentication Authorization
What does it do? Verifies credentials Grants or denies permissions
How does it work? Through passwords, biometrics, one-time pins, or apps Through settings maintained by security teams
Is it visible to the user? Yes No
It is changeable by the user? Partially No
How does data move? Through ID tokens Through access tokens

更详细的答案请参考:https://www.okta.com/identity-101/authentication-vs-authorization/

Authentication是一个验证的过程:

系统中的用户身份(用户名、登录名、电话号码、电子邮件……),通过提供证明(密钥、生物识别、短信……)作为扩展的多因素身份验证。 使用数字签名检查电子邮件[关于] 校验和

授权是身份验证之后的下一步。它是关于资源的权限/角色/特权。OAuth(开放授权)是授权的一个例子

正如身份验证vs授权所言:

Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions: Who is the user? Is the user really who he/she represents himself to be? Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions: Is user X authorized to access resource R? Is user X authorized to perform operation P? Is user X authorized to perform operation P on resource R?

参见:

Wikipedia上的身份验证与授权