When I was learning about OAuth, I realized there’s a common mix-up between authentication and authorization. Here’s a quick post to clear up the differences.
Authentication is all about verifying who the user is. In other words, it answers the question: “Who are you?”
Authorization is about determining what the user is allowed to do. It answers the question: “What can you do?”
Imagine Bob is the president of a school. When he logs into the school system, authentication makes sure it’s really Bob and not someone pretending to be him. Once he’s logged in, authorization decides what actions Bob can take—like hiring or firing staff.