API SECURITY FOR DUMMIES | Authentication vs authorization
API Security with ASP.NET Core 5.0 and Azure AD for Dummies

This blog is part of a complete blog series.

Authentication vs authorization

It’s important to understand the difference between these two concepts:

Authentication

Authentication is the process to determine whether API consumers are who they claim to be.

Within Azure Active Directory, there are different ways to authenticate:

  • Users: username + password, preferably combined with MFA, …
  • Applications: client id + secret, client id + certificate, managed identity, …

As a result of these authentication mechanisms, Azure AD creates signed access tokens (JWT) with a limited lifetime.  These access tokens need to be verified, to ensure the identity of the API consumer.

Authorization

Authorization: is the process to determine what API consumers are allowed to access

With Azure Active Directory, these are the three main options:

  • Access control list
  • Delegated permissions
  • Application roles

These options will be further explored in the next parts.  There are also custom authorizations possible, which are often implemented in a specific business context.  These are out of scope for this series.

ABOUT

MEET THE YOUR AZURE COACH TEAM

Your Azure Coach is specialized in organizing Azure trainings that are infused with real-life experience. All our coaches are active consultants, who are very passionate and who love to share their Azure expertise with you.