Authentication is just validation of identity. For example when I rent a car at an airport, I have to show my driver’s license and credit card, where names on both of them have to match. Together these two forms of identity are used by the rental car company to validate my identity (i.e. authentication). Authorization is where they actually give me the car i.e. access to the car is the authorization. In US once the rental car company verifies a user’s identity and holds certain amount of money (as deposit) on the credit card, the end user is guaranteed access to the car. The car company is out of loop once I have the car is in my possession. They cannot regulate my driving habits, speed and where I drive the car. This in essence is coarse grained authorization. The rental car company:
- Authenticates customers using drivers license and credit card
- Authorization essentially involves holding back some money (i.e. deposit) on the credit card
- At the end of authorization, the car company hands off the car to its customer and is essentially out of loop
Many legacy applications work the same way, they have some checks upfront and then they hand off the keys to the end user. From that point, applications only have limited ability to control individual actions of the end user.
Now, imagine if cars supported fine grained authorization. After authenticating a customer, rental Car Company would load customer’s authorization policies into the car such as:
- Drivers cannot exceed the speed limit
- Maximum speed allowed in 60 MPH
- Acceleration of the car is limited based on user’s past driving record
- Users are warned when they are driving outside of the designated area
As you may have noticed, with fine grained authorization the rental company has never given up control of their car vs. coarse grained authorization, where they perform some checks and then handed off the keys.
Coarse grained authorization essentially focuses on controlling access to URL (i.e. car keys), once a user is authorized to access the URL, you loses all further control. Fine grained authorization focuses on securing the underlying services and data.
The reason both coarse grained and fine grained authorization products exist in the market place is because each offer certain advantages. Based on the problem at hand, you need to pick the best approach.
This real life explanation of fine grained authorization and coarse grained authorization has been beautifully explained here.