> They are long, not easy to pronounce, sound too similar, have the first 4 and last 5 characters the same, they mean wildly different things and yet get interchangeably used as "authn".
This is a complaint about the English language. We still use many English words that are confusing. The computer science department is perhaps not the best place to reform an entire human language.
"AuthN" is shorthand for authe N tication.
"AuthZ" is shorthand for authori Z ation.
"AuthN+Z" is shorthand for something that provides both.
> If i give you keys to a room with the number 101 on it, is that authentication or authorization, or none ?
Authorization.
To authenticate is to prove who you are. To authorize is to grant access. The key does not prove who you are, it proves you have access to the room.
> If a gatekeeper says "sorry, invalid auth", what the f does that even mean?
Means either authentication or authorization or both failed. This is a complaint about a stupid programmer who can't communicate properly, not with a word.
Bet you a million dollars they'll output the error "invalid login" when it's actually a permissions issue (user can't log into this site/tenant/group/resource, not because the username or password was wrong, but because they didn't have the right role assigned). Changing the word won't make the programmer make fewer mistakes.
> An expired token, is that authentication failure or authorization error?
Authentication.
'Tokens' are not one thing (many things can be called 'a token' and be used in different ways... again, choose the right term to communicate properly), but generally speaking, 'tokens' are things you use to authenticate your identity, and the backend system matches the authenticated token with the authorized roles.
> What about fake token ? A token with valid signature but wrong audience ?
Authentication. Authentication and/or authorization (depends how your example works).
> Its such a fu*ing mess.
The concepts can be difficult to understand at first. Use them more and they make more sense.
> To authenticate is to prove who you are. To authorize is to grant access.
We should be screaming this type of thing from the rooftops. I struggled so much with the difference until someone said something to this effect. AuthN = who you are, AuthZ = what can you do. People seem to get confused because certain classes of individuals have certain rights and think it's the "who" that's important and not the role
If a concept is already painful to understand, is it prudent to make the pain worse by choosing words that could be examples of grammatical alliteration?
It it really a computer science department v/s english department thing?
The article suggest better alternative, suggestive words to alleviate the confusion.
My comment rants about the premise of the article - poor choice of words.
we can debate a long time about keys with the label 101 on it being authentication or authorization or none.
mine and OP's point is that a better choice of words can avoid these debates and make the world a little less ambiguous.
> mine and OP's point is that a better choice of words can avoid these debates and make the world a little less ambiguous.
If you changed the words to different ones, we would just be having a different debate, because two words cannot resolve the inherent complexity of the subject matter. It would still be ambiguous because the concepts themselves are too complex to address in two words. You would, however, feel like they were simpler, because you chose simpler words that only cover a small fraction of the overall subject matter. This is a self-deception; you'll feel safer in your understanding of what's going on, but you will still have the same problems when trying to use them in different cases. Call it "login" or "jskjfhskjdf", your experience in doing engineering with them will be the same.
("login" does not encompass everything that is authentication, and "permissions" does not encompass everything that is authorization. there are "authentication permissions" and "authorization permissions", and some systems authenticate without "logging in". so you're still going to be confused later on with this choice of words, even if they had the same definitions as the current words)
A token can also contain the roles themselves. Though, proper usage of roles as groups of permissions can also go interestingly wrong in practice by many.
This is a complaint about the English language. We still use many English words that are confusing. The computer science department is perhaps not the best place to reform an entire human language.
"AuthN" is shorthand for authe N tication.
"AuthZ" is shorthand for authori Z ation.
"AuthN+Z" is shorthand for something that provides both.
> If i give you keys to a room with the number 101 on it, is that authentication or authorization, or none ?
Authorization.
To authenticate is to prove who you are. To authorize is to grant access. The key does not prove who you are, it proves you have access to the room.
> If a gatekeeper says "sorry, invalid auth", what the f does that even mean?
Means either authentication or authorization or both failed. This is a complaint about a stupid programmer who can't communicate properly, not with a word.
Bet you a million dollars they'll output the error "invalid login" when it's actually a permissions issue (user can't log into this site/tenant/group/resource, not because the username or password was wrong, but because they didn't have the right role assigned). Changing the word won't make the programmer make fewer mistakes.
> An expired token, is that authentication failure or authorization error?
Authentication.
'Tokens' are not one thing (many things can be called 'a token' and be used in different ways... again, choose the right term to communicate properly), but generally speaking, 'tokens' are things you use to authenticate your identity, and the backend system matches the authenticated token with the authorized roles.
> What about fake token ? A token with valid signature but wrong audience ?
Authentication. Authentication and/or authorization (depends how your example works).
> Its such a fu*ing mess.
The concepts can be difficult to understand at first. Use them more and they make more sense.