Authenticating and authorizing users
Authentication is the process of verifying the identity of a user by validating their credentials against some authority. Credentials include a username and password combination, or a fingerprint or face scan.
Once authenticated, the authority can make claims about the user, for example, what their email address is, and what groups or roles they belong to.
Authorization is the process of verifying membership of groups or roles before allowing access to resources such as application functions and data. Although authorization can be based on individual identity, it is good security practice to authorize based on group or role membership (that can be indicated via claims) even when there is only one user in the role or group. This is because that allows the user's membership to change in the future without reassigning the user's individual access rights.
For example, instead of assigning access rights to launch a nuclear strike...
