Authentication (401) versus Authorization (403)

As the title suggests, what is the difference between authentication and authorization?

• Authentication: the process to confirm who you are.

You are going to persuade the server that you are the user with the username foo by including your account password bar. The process of checking your credential (username and password) is called authentication. If the credential you provided is valid, you are authenticated.

When the authentication succeeds, the server should return 200 OK status. Otherwise, 401 Unauthorized should be returned.

401 Unauthorized is returned when a user is not authenticated. That doesn't seem very clear at first. But that is it.

• Authorization: the process that happens after the authentication is usually involved with business logic to confirm the user's privilege.

The server now knows who you are. But it does not mean you can do anything in the system. With the confirmed identity (in the authentication process), the server also confirms that you can do something (access a resource, execute a privileged operation, etc.). You are now authorized.

If the authorization fails, the server should return 403 Forbidden status.