BuddyPress: authentication versus authorization
By Jeff Sayre
When it comes to user access of computer-based systems, access control has two subgroupings: authentication and authorization. Authentication deals with the process of verifying that a given user is indeed who they claim to be. This is taken care of initially by the registration process and subsequently by the login script. Authorization deals with verifying and managing the access rights a given authenticated user has to certain objects. This is usually accomplished through access control lists (ACLs). An ACL is a listing of what access rights, or authority, a given authenticated user has to a given object or sets of objects.
The term “auth” is often used interchangeably for authentication or authorization. But there is significant differences in meaning between these two terms. So as not to confuse people, new terminology has been created to clearly differentiate between one or the other.
Because of this confusion, the process of authentication is now often referred to as A1, or AuthN, or simply Au. The process of authorization is now often referred to as A2, or AuthZ, or simply Az. Since authentication must come before authorization, the A1–A2 ordinality of the terms is evident. This also explains the alternate names of my component—BPAz and BP–Authz.
In brief, the following logic describes BPAz:
- Authentication is different than authorization. The former must come before the latter.
- Users are the focus of social networks. They should have primacy when considering platform functionality. They are the super objects that create all content and therefore should have control over that content.
- Therefore, each object is created and owned by a user
- Only authenticated objects should have control over authorizations
- Users are the only object that get authenticated
- Users are the only object that can set and manage authorizations