Identification versus authentication versus authorization
A lot of times, people use those words interchangeably, since they are performed at the same moment, but in reality, they are critically different concepts. We can define these three concepts as follows:
Identification: This is an action in which the user (untrusted party) declares his identity
Authentication: This is an action(s) to prove that the user is who he claims to be
Authorization: This action(s) is required to determine which actions a specific user can perform
To bring this into the real world, let's take an easy example and analyze the various phases: a web login with the username and password.
Let's imagine you are logging into your OpenStack Dashboard. The username you put in the username field, is the identification part. In fact, you affirm to be yourself, and the system trusts you on this. However, to let you do anything, the system needs to authenticate you. To do so, it needs your password and will check whether the...