Hacker News new | past | comments | ask | show | jobs | submit login

I don’t think they are almost identical, they just have the same prefix. “Login” and “permission” each have the same problem: “login” is very similar to “logging”, and “permission” shares a prefix with “persistence” (or permanent). Ultimately software engineering is a broad enough field that we will necessarily have to use similar words to describe the many, many concepts



The issue is that they have the same prefix AND that unfortunately this prefix is used to abbreviate both words.

What does the "auth" module ?


We shouldn't use that abbreviation, then.


Given that _AuthN_ and _AuthZ_ are in common technical use, I would expect something handling _Auth_ to work on both _AuthN_ and _AuthZ_.


me, reading thread on hacker news, where a different team that used to build the auth service just transferred ownership of the service to my team, which builds the authz service....


Not a good analogy.

“Permission” and “persistence” have the same prefix but entirely different semantics. They also occur more commonly in everyday life.

AuthN and AuthZ are similar in in spelling, appear in similar contexts, and are less colloquial, making the distinction a lot less clear.

There’s a reason many junior devs use them interchangeably without knowing better.


Okay fair enough about it not being a perfect analogy.

I think the reason junior devs get them confused is that many junior devs are never taught anything about either in school. But then you just tell the junior dev that they mean different things and in my experience they only need to be told that once.

Ultimately I think it’s fine to use vocabulary.


But authentication and authorization are often used in the same context where confusion is lethal.


Why would it be "lethal"?

As a dev you're either building or hooking up to either or both of them. And you know what each requires you to build / hook up to.

As a user, you just care "I put my login/password/api key here, and I get the capability to do several things in that webpage/service/etc". Both auth and the other auth are handed for you.


Ever heard of a hyperbole?

And if the other dev made an error and confused authorization and authentication you have a problem.

Stupider mistakes have been made and it is a sign of overconfidence if you think you are immune to them.


>Ever heard of a hyperbole?

Yes, primarily I've heard that it is to be avoided in technical discussions...


The real problem is people don't have clear differentiation between authN and authZ. You being you doesn't mean you or they consent to something, those are separate, though very close.

Hence the confusion and ambiguous shorthand "auth". You auth and gets everything. You fail to auth and you don't have access. That covers ~80% of any authentication-authorization-accounting systems use cases, and that allows people to be care-free about differences.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: