“Authorization = credentials”

A fundamental concept in identity and access is the distinction between authentication and authorization. Authentication is the process by which a user confirms identity — confirms that the user is the identity that she/he claims to be. Often, this takes the form of supplying valid credentials: username and password.

Authorization, on the other hand, is the process of verifying that the user has permission to take a particular action on a particular protected resource. This is often downstream of authentication; after the identity of the user is established, the user’s permissions are compared to the requirements of the protected resource and requested action to determine if she/he should be granted access.

So then what of the quote in the sub-header, “Authorization = credentials.” This quotation is taken from the HTTP RFC. This foundational RFC that establishes the protocol that is the backbone of the internet completely muddles the distinction between authorization and authentication. Authorization has nothing to do with credentials. Credentials are a part of the authentication process.

Here’s another quote from the RFC to establish this issue further:

“The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.”

In this quotation, the RFC correctly acknowledges that the credentials are for authentication, but still refers to the error as “Unauthorized.”

Well Actually,

At the Recurse Center where I am spending my sabbatical, there is a rule against well actuallies. Well actuallies are situations where people make minor technical corrections to statements that are otherwise correct. Often the correction in no way advances or contributes to the discussion, and occasionally, the correction may even derail the discussion.

In many ways the correction I pose above, to modify the HTTP RFC’s use of the terms authorization and authentication, is a well actually. The HTTP RFC has been successfully implemented for 20 years now, so clearly the error did not harm the RFC’s purpose.

But still, I cannot abide. The distinction is absolutely fundamental — and for it to be this garbled in use, and for the incorrect usage of these terms to be so widespread…

So, I did something about it.


I created a chrome extension that updates occurences of the error “401 - Unauthorized” to read “401 - Unauthenticated,” as it should. Even if this correction is just in my own browser, it is cathartic to see it fixed in at least the domain I control.

If you share my quarrel, you can download the extension on my github.

But this got me wondering. Surely this can’t be the only error in the RFCs, and surely there are other errors floating around the internet, hoping to be fixed. If you know any, send them to me, and I’ll add them to my extension.

Together, let’s make the internet just a little more correct.