Two different questions
Identity systems answer two separate questions that are easy to confuse:
- Authentication asks who are you. It verifies a claimed identity using something the user knows, has, or is.
- Authorization asks what may you do. Given a known identity, it decides whether an action is permitted.
Authentication always comes first. You cannot decide what a user may do until you know who they are. A login form, a passkey prompt, or a token check are all authentication steps.
Where each one lives
In a typical request the boundaries look like this:
- The identity provider authenticates and issues a credential such as a token.
- The resource server authorizes by inspecting that credential and applying access rules.
Mixing the two leads to bugs. A common mistake is treating a valid token as proof of permission. A token proves identity, but the server must still check that this identity may read this record.
Key idea
Authentication establishes identity and authorization grants access. They are separate steps, and a verified identity never automatically implies permission.