return to table of content

Instead of “auth”, we should say “permissions” and “login”

aeonik
51 replies
2h5m

"Authorize" and "Authenticate" are excellent words. They go back to medieval times and haven't changed meaning too much.

Everybody knows what an "authority" is. It means they have power or capability.

Everybody knows what authentic means. Something that is proven to be genuine.

The difference between the two concepts, as they are used in crypto systems are specific, important to get right, and also inherently intertwined, confusing, and subtle. I'm skeptical that changing the words would help.

It's one of the many reasons we have the saying, "Don't roll your own crypto."

Trust and verification are just hard problems.

hackernewds
18 replies
1h33m

Auth means authentication or authorization? that's the dilemma

theptip
8 replies
1h27m

The industry has used “authz” and “authn” to disambiguate for decades.

cdelsolar
3 replies
1h18m

I’ve been working in this industry for decades and this is the first time I made that connection…

mgkimsal
0 replies
50m

you're not alone.

foobazgt
0 replies
41m

I can second GP.

I have always heard and used authz and authn (pronounced auth-z and auth-n). Bare "auth" typically was used to mean both, but IAM was more clear for that in specific contexts. E.G. you might say someone "authed" to indicate both authentication and authorization, and you might have an IAM team that handles both authentication and authorization.

FWIW, I lead an IAM team.

bostik
0 replies
46m

The distinction was already present in Apache2 configs in early 2000's, although there authentication was "auth", and "authorisation" was authz.

Real travesty came from OAuth. A system designed to handle authorisation was named after the term for authentication.

mgkimsal
1 replies
30m

How are those pronounced?

giaour
0 replies
4m

You pronounce the last letter as a second syllable: authn is "auth-in" and authz is "auth-zee" (probably "auth-zed" in non-American English).

erik_seaberg
0 replies
28m

I've seen https://en.wikipedia.org/wiki/AAA_(computer_security) because authentication, authorization, and accounting (audit trails) need to go together so often. What you're allowed to do is sort of meaningless if we don't actually know who you are and what else you've done.

croes
0 replies
1h15m

One type and you have a problem.

Maybe it's better to use less similar words if it's security related.

selecsosi
4 replies
1h27m

AuthN and AuthZ are appropriate and succinct ways to express the concerns when brevity is required

croes
3 replies
1h16m

So one wrong letter or wrong auto complete and we have the wrong meaning.

In security, anything that is less prone to error is good, so words that are hard to confuse or misspell are good.

selecsosi
1 replies
44m

Why would you type the wrong letter when you mean the other one? Authentication means proving what something says it is, authorization is allowing someone to do something.

The concepts are different so it's not like a dial you are turning to make a measurement, the terms are for different domains

deathanatos
0 replies
35m

While I also agree that authn or authz are perfectly clear,

Why would you type the wrong letter when you mean the other one?

Really? Ignorance, laziness, rushing, fatigue, simple mistakes, etc.

What I think is worse is more letters doesn't save you. I've had some conversations where it has gone like 2–3 round trips before the other end realizes that "not" means not, and they mean … the other way.

dathinab
0 replies
10m

yes but it's also even more important to be precise and correct which login/permission fail to be

login is at best defined as authorization + authentication

but things which are in general referred to as login but only provide authorization are not that rare (e.g. you pass a token to a client)

and logins which to provide authentication but not authorization exist to (but are rare and you probably could always nitpick them out of existence)

Similar the term permission is hugely overloaded due to it's wide usage in more causal most times end user facing documentation. Most times permissions are used in a more generic context, like a user having the permission to do something vs. a request made by a user being authorized to do something.

I mean in the end there is no reason not to use login/permission for end-user facing documentations, causal conversations etc. This terms are "good enough" most times. But if you provide a login library or technical documentation for APIs with complex interactions between authentication and authorization then using login/permission just won't cut it.

Also for AuthN,AuthZ there is no point to use auto completion and there is very very little chance to mistype them as long as you don't confused them. Luckily this kind of mistakes do not fall under the patterns dyslexia causes (especially if you do the capitalization).

alex_lav
2 replies
1h29m

Sure, so why would we replace the two words that have correct meaning when the real problem is laziness?

croes
1 replies
1h18m

We now have autocomplete that could choose the wrong word.

alex_lav
0 replies
53m

We've had autocomplete that could choose the wrong word for over a decade. And?

bradjohnson
0 replies
39m

Identity and permission are often closely related, and usually auth means both. If we replaced auth with permissions and login, I suspect we would still encapsulate the same overarching concept with one of those two words anyway. E.g. use the login module to add permissions to a user or use the permissions module to authenticate.

ghnws
17 replies
1h28m

Having two almost identical terms that mean completely different things is not a very good idea. Also here you are explaining what the words mean, when "login" and "permission" are immediately obvious. Most people don't speak english natively either.

4death4
9 replies
1h25m

I don’t really consider making an API call as “logging in”. The term sounds really out of place other than in a few specific contexts.

Too
5 replies
59m

The term “Identify” is a lot better in this regard.

It’s already universally used in IAM, where the other half of the puzzle is also clear and free from ambiguity: “Access”.

jbverschoor
1 replies
40m

Access doesn’t cover everything though. But identify seems good

jonplackett
0 replies
22m

I think they mean use both - identity in place of login/authenticate and access in place of auth

zer00eyz
0 replies
11m

Identity/identify may or may not have anything to do with Login, or Authentication...

KYC (know your customer) are about removing the ambiguity between you user and their identity....

asalahli
0 replies
4m

Identification and authentication are different, though. You identify yourself to a website as a specific user (e.g. using a username) and the website in turn authenticates your claim, i.e. verifies that you are in fact the user you claim to be (e.g. using that user's password).

adolph
0 replies
39m

And the third half, “management” verbalizes the action therein.

Also, IAM has a cryptic assertion of ultimate authority: In Hebrew, . . . hayah carries the added weight of representing God himself: Yahweh, “I am.” [0]

https://hebraicthought.org/meaning-of-gods-name-i-am-exodus/

rwoerz
1 replies
1h11m

Indeed. "Logging in" implies some kind of long lasting session. And logging in conceptually only requires "identification" (e.g. via a username) but not necessarily "authentication" (e.g. via a password)

nmz
0 replies
54m

Identification is not necessarily via a username, people can identify you via just knowing how you look or your voice, the method doesn't matter.

jagged-chisel
0 replies
10m

IMO…

To “log in” is to convert the username/password pair (or API key, or whatever) into a smaller token with an expiration. Doesn’t matter of it’s put in a cookie in my browser, held in memory by some other API client, etc.

Aside: Why bother even doing that? Because every time you transmit the credential, there’s the possibility of leaking. We would rather leak the token that has an expiration.

mepiethree
3 replies
1h16m

I don’t think they are almost identical, they just have the same prefix. “Login” and “permission” each have the same problem: “login” is very similar to “logging”, and “permission” shares a prefix with “persistence” (or permanent). Ultimately software engineering is a broad enough field that we will necessarily have to use similar words to describe the many, many concepts

pjerem
1 replies
1h11m

The issue is that they have the same prefix AND that unfortunately this prefix is used to abbreviate both words.

What does the "auth" module ?

diego_sandoval
0 replies
14m

We shouldn't use that abbreviation, then.

croes
0 replies
1h12m

But authentication and authorization are often used in the same context where confusion is lethal.

mistercow
0 replies
25m

The wild thing is that they’re apparently from different etymologies. “Authorization” comes from “auctor” in Latin, meaning “leader” or “author”, whereas “authentication” originally comes from the Greek “auto” meaning “self”. There probably was some cross influence that brought them into line though.

gtirloni
0 replies
1h9m

what's the difference between login and logon?

bru
0 replies
58m

That's because they share the same root auto-, i.e. "self". Because they're related concepts...

divan
2 replies
55m

Everybody knows ...

Especially non-native English speakers, right.

redeeman
0 replies
21m

well either they know the language to some functional degree, or they dont.

diego_sandoval
0 replies
6m

The Spanish words are very similar to the English ones:

- Autorización : Authorization

- Autenticación : Authentication

- Autoridad : Authority

- Auténtico : Authentic

I would guess that in other romance languages, they are also similar to the English version.

"Log In", on the other hand, only makes sense in English. If you tell someone "Estoy registrando adentro" they will be dumbfounded.

dergyitheron
1 replies
1h42m

It's not that simple for non-native English speakers, not everyone works in an international team so English is being used on a technical level and you basically have to memorize what those words mean if they dont have similar sounding equivalent in your native language. And there people mess it up or simplify the terms by combining them and it doesn't make sense. And you wouldn't use your native language equivalents because docs are usually in English and we code naming things in English. Using those dumber terms would be much more straightforward for everyone.

marcosdumay
0 replies
1h13m

non-native English speakers

Hum... I imagine you mean people without any Latine inheritance in their culture. Those words are very good words on way more languages than English.

Those words are also shared with other domains, where they have compatible meanings, and that intersect the usage in computer systems. So you'd better fix them there too.

Besides "permission" is not a verb, and "login" is one between a lot of different ways to authenticate people. What do you intend to do with the correct meaning of those words once you overload them?

cwilby
1 replies
47m

Saw the headline, found your comment within two seconds, exhaled with relief.

Every time a cohesive pair of words is redefined, a new JS framework is born.

OJFord
0 replies
0m

Yeah me too, but then I actually read the (very short) article, which immediately addresses that and not much else.

Better title would be 'instead of authz & authn ...' to make that clear, because it does just sound like they haven't heard of the concept at first.

charles_f
1 replies
1h56m

Everybody knows what an "authority" is. It means they have power or capability. > > Everybody knows what authentic means. Something that is proven to be genuine.

And yet a lot of the devs I work with (I'd even go a say most) can't really explain to you the difference between both concepts and use "auth" as a blanket keyword ; which that word allows since it has the same root.

I think that proposal isn't bad because it makes a distinction using simpler words. I'd also prefer for people to learn that simple difference, but that's what we get.

oooyay
0 replies
1h41m

Some time ago authentication was shortened to authn and authorization was shortened to authz. If I had to guess that was to aid people who had to write those words a lot. In that aid, I think they've somewhat lost meaning and just became generalized as "auth". People generally do know there are two steps to auth, are aware of the standards, but when asked to put it in words struggle because of some lexical convergence.

An analog to this is when I first stumbled upon words like a11y and i18n I had no idea what they meant. Now that I've actually had to deal with internationalization systems and accessibility systems I know very much what they mean, but similar to "auth" they're an umbrella invoking a large number of systems that can all function differently.

ysofunny
0 replies
1h24m

over many years, I've noticed how it's all about differences that get more subtle and precise on every field. I think this specially after watching this the introduction of https://www.youtube.com/watch?v=OMaYFUm8kQQ

this is specially complicated in fields with long histories. I've got an example that may only make sense in both english and spanish: fats, oils, gases/gasolines (grasas, aceites... gasolinas, petroleo)

other subtelties fresh on my mind today:

proposition vs axiom

argument vs parameter

(common) case law vs civil law

packetlost
0 replies
1h57m

I could see an argument for using the less precise terminology for user facing error messages, but certainly not on the technical side.

jonplackett
0 replies
1h20m

Think you’re giving ‘Everybody’ a bit too much credit.

bsder
0 replies
15m

inherently intertwined, confusing, and subtle.

Our current implementations are like this. I'm not convinced this is inherent complexity, though.

It seems like almost all the complexity stems from people trying to create hooks to monetize all the pieces of the process.

Security and usability feel like a second and distant third in importance.

blablabla123
0 replies
3m

Yeah but it's hard to understand unless doing a lot with auth. Indeed "don't roll you own crypto" but you don't need a PhD in Mathematics to roll you own auth. Sometimes it's necessary and even if not, it's good to know what could need work.

verdverm
17 replies
3h3m

"Identity" and "Access" Management (IAM) is pretty standard terminology.

I personally like saying authnz (authentication and authorization mashed together)

"Login" doesn't really cover token or key based authentication, i.e. service accounts don't "log in" but do require authentication and authorization

sandworm101
3 replies
2h21m

The modern parlance doesn't accommodate but the original "log in" and "log out" describes any time a use enters or leaves and is noted in the log. This goes back to shipping whereby persons entry or exit would be noted in a log. Imho that older definition would cover nearly every type of authentication that results in someone connecting to a service.

jameshart
1 replies
1h50m

Sadly most of modern communication infrastructure is built on the stateless substrate of HTTP, where every interaction starts from a fresh slate. And zero trust networking suggests we should not rely on border checks to let people 'in' and 'out', but rather check access control at every interaction.

Really, modern practice has moved past 'log in', sorry.

klabb3
0 replies
23m

Yes. But logging in still happens - you just get a token in response and use it for subsequent communication within some time period. It’s still a bad term for an identity / authentication system because logging in is just one small part of it.

verdverm
0 replies
1h58m

This doesn't seem to cover API keys or bots, which have authentication mechanisms, but who's typical workflows lack the "enters" or "leaves" concepts you describe.

For example, I can log into OpenAI, generate an API key, log out, and then use that key to access their systems across a network

Khaine
3 replies
2h58m

The other term you might here is AAA: Authentication, Authorisation, and Accounting

verdverm
2 replies
2h56m

by Accounting, do you mean Audit Logs?

candiddevmike
1 replies
2h46m

That is a form of Accounting, yes. There are others though, like metrics, and Accounting is meant to mean all of the recording/telemetry.

verdverm
0 replies
2h41m

I can see this thread rabbit-holing into logmon terminology :]

bsid
2 replies
2h45m

Also, IAM usually means SSO solutions for employees i.e. things like Okta/OneLogin..

CIAM usually means external facing authN/authZ.. (customer identity and access mgmt)

There's so many terms in this space that are already confusing.

verdverm
1 replies
2h43m

SSO is really just the Identity part, and one way to prove identity, more conveniently across many systems.

SSO misses the Access (permissions) part, which requires policies constraining the acting identity, the target, and the action to be performed

deathanatos
0 replies
37m

No, they're still intertwined, unfortunately.

For example, Okta has a notion of whether a user is "authorized" to use the app, so you can end up being directed to Okta, prompted to log in, and then shown an authorization error. Users will often phrase this as some odd form of "not permitted to log into the app".

Further, Okta admins control the claims the user presents to the app, and those claims can often have authz implications. A "role" or "group" claim is the most obvious one.

I've spent endless time going in circles with Okta administrators who can't clearly delineate these two, or who don't understand what an "app" (Okta's term for a relying party) is, etc.

spicybbq
1 replies
2h56m

I personally like saying authnz (authentication and authorization mashed together)

a12n and a11n, if you will.

verdverm
0 replies
2h54m

which ideally are a11y (accessibility)

remram
0 replies
37m

Identity and access seem much clearer to me. Not every identity determination is via log in, not every access check is purely based on permission. I will try and use identity/access/IAM instead of authn/authz/auth.

marcosdumay
0 replies
1h7m

"Identity" and "Access" are really good names.

I could easily adopt those if I find myself naming middleware again.

jameshart
0 replies
2h56m

Yes, this. Access control is bigger than just permissions. And identity is still relevant even for anonymous users.

chipdart
0 replies
2h37m

"Login" doesn't really cover token or key based authentication, i.e. service accounts don't "log in" but do require authentication and authorization

To build on top of this point, authentication also includes claims that are not tied to an authorization process, such as user agents or custom request headers, and authentication is often used not to reject access but to output subsets of data (I..e, hide fields from a response, send a specific response doc, etc)

It's as if the whole industry uses the keyword "auth" for good reasons.

DowagerDave
15 replies
2h57m

I don't really get the point of this post. Yes naming things is hard, but the fact that these two words are similar is actually a good thing, despite laypersons getting them confused, because they are both functionally and implementation-wise closely related. The confusion is not going to be solved with trying to relabel the concepts. The author never actually illustrates the harm caused by this confusion either. My guess is they ran into something like installing a package that didn't cover their desired needs, attributed this to the "auth" name and instead of moving on decided to write about it.

> "The canonical solution is to call these "authn" and "authz", the n and z evoking the longer words."

or we could just use the longer words?

test6554
7 replies
2h40m

Hey, I wish electrons were assigned a positive charge and protons a negative one. Way back when. But oh well now.

echoangle
5 replies
2h8m

Can you explain why switching the names would be better? I don’t get it

thayne
0 replies
1h43m

Because in an electrical current it is electrons that move (usually, unless you have a hydrogen plasma or something), so since electrons have a negative charge, the direction of the positive current is the opposite of the direction the electrons are flowing.

thaumasiotes
0 replies
1h55m

By convention, electrical current flows in the direction of the movement of positive charge.

However, in the typical case, what's moving is electrons, which means the "current" is flowing in the opposite direction of the movement of the electrons. This is stupid and everyone hates it.

samatman
0 replies
1h46m

In addition to the sibling comments, I have a somewhat esoteric reason to wish that the signs of electric charge were reversed.

In the coordinate system of an atom, the nucleus is at the origin, 0, while the electrons are a positive distance from that core. 0 is not negative, obviously, but it's non-positive.

When terminology is concordant in this way, the topic is easier for a student to grasp. When discordant, harder.

There's little chance for this wart to be remedied, invalidating every paper written up to that point is a bit of a non-starter. But I dislike it nonetheless.

djaro
0 replies
1h48m

Because what we call electricity is electrons moving. So it would make sense for electrons to have the electric charge.

Now we are in a weird situation where current flows from positive to negative, but electrons flow from negative to positive. It would be a lot more logical if the direction of the electrons was the direction of the current, but the name was arbitrarily decided before we knew what electrons were.

cocoa19
0 replies
1h57m

I remember some messy conventions in electronics as a reason.

The conventional flow of current goes from positive terminal to negative. But electrons actually flow from negative terminal to positive.

randomdata
0 replies
1h8m

> and protons a negative one.

A "pro" negative? That introduces a whole new confusion.

inanutshellus
2 replies
2h41m

For some reason, with both words, I have to stop and think about what the "other auth- word" is so I can be sure I'm thinking of this "auth word" correctly.

  1. Sees <authentication>
  1a. "That's who I am, but to be sure..."
  2. "Ehh... the other one is... <authorization>..."
  3. "<authorization> is what I'm allowed to do so..."
  4. "...yes, this one is who i am"
Seriously, every time. I probably worried I'd remembered it backwards at one point early in my career and have never shaken the habit of double-checking myself on it.

pama
0 replies
2h11m

I authorize you to be authentic!

codelikeawolf
0 replies
2h25m

I did the exact same thing when I was reading the post! I had to stop reading and take a good 10 seconds to verify which one was which in my head. I use "auth" all the time as a placeholder for "you need to login to use this". I've never really thought too much about authorization versus authentication because to me, those are just implementation details under the "auth" umbrella.

billsmithaustin
2 replies
2h46m

My experience: a lot of the confusion in technical conversations is due to two parties using the same term for different but related concepts. Relabeling the concepts to clarify the distinction is the right thing to do.

> or could we just use longer words?

Agreed: relabeling, with longer words when necessary, can help.

AlienRobot
1 replies
2h25m

Fun parallel: https://inkscape-manuals.readthedocs.io/en/latest/_images/in...

The toolbar is called "tool controls bar," the tool controls bar at the left is called "toolbox," and the toolbox at the right is called "commands bar."

If you asked me I'd say it's 3 toolbars. And why is palette not palette bar?

forkerenok
0 replies
17m

And why is palette not palette bar?

My guess that's because palette, the real world object, is something close to a bar itself, so it would be a bit of tautology. From the dictionary:

Palette: a thin board or slab on which an artist lays and mixes colours.

AbraKdabra
9 replies
2h55m

I've never been in a situation where this "confusion" happens (nor in english or spanish, where we use autenticación and autorización), authentication and authorization are standard terminology in all IT and Infosec.

I know acronyms and stuff but if it creates confusion just use the damn complete word, I don't get why create a problem.

Pxtl
7 replies
2h19m

Because people frequently in English use the abbreviation "auth", which is ambiguous.

ziddoap
5 replies
2h3m

So people should not use the abbreviation when it isn't clear. Problem solved, no renaming needed.

If people are too lazy/whatever to use the full word, they are going to be too lazy/whatever to change to a different word entirely.

Someone1234
4 replies
1h40m

Nothing is being renamed. "Permissions" is another common name that dates until at least the 1980s in computing. The suggestion here is to use one common and correct phrase instead of another common and correct phase. Login/Identity are also completely standard.

The only reason to keep using Auth/Auth is because you want to be less easily understood by others. Calling it "renaming" is itself odd to me, if someone said Identity/Permission or Login/Permission, it wouldn't even flag to me as being unusual or non-standard. I'd know exactly what they meant.

ziddoap
3 replies
1h33m

The suggestion here is to use one common and correct phrase instead of another common and correct phase

Permissions are a subset of authorization.

hu3
2 replies
1h15m

Could you please provide examples.

I see comments stating that, but no examples.

ziddoap
0 replies
1h6m

Permissions are a technical method which are used to implement and enforce authorization policies. However, authorization policies are not composed of just permission controls.

You may find that your user account has permission to read the employee salary database. However, you may not be authorized to read that database by corporate policy because you are not a manager. Perusing that database will still get you in trouble, because you aren't authorized to do so, even though your account had the technical permissions to access it.

You may find that you have permissions to screenshot internal databases and post them on facebook, however since you are not authorized to do so by policy, you will be fired.

Etc.

danielmarkbruce
0 replies
1h5m

You have read permission on a file - generally used by humans, and UIs like on Google Drive etc to signify your ability to see a file at all, at some time, some location, from some machine.

You have authorization - you are allowed to see the file now, from this machine attached to this network in this geographic location using this type of authentication.

"I have permission to see this file, but I can't access it outside the corporate network" said many people lots of times.

AbraKdabra
0 replies
1h46m

So the problem is the people not the words.

mkroman
0 replies
2h49m

Agreed. Generally just avoid jargon when you aren't sure the reader knows the lingo.

candiddevmike
8 replies
3h3m

Or use the industry standard AuthN, AuthZ nomenclature?

jedberg
6 replies
3h2m

The article addresses this. They aren't universal enough and when sound out loud they sound the same, and there are no verb forms.

DowagerDave
2 replies
2h56m

> They aren't universal enough

Yes, we need a NEW standard: https://xkcd.com/927/

jedberg
1 replies
2h52m

The beauty of this proposal is that it isn't a new standard -- it's suggesting that we use the already existing words and stop using the less understood acronyms.

verdverm
0 replies
2h38m

authn/z are more abbreviations than acronyms, which come with less organization or domain specific required knowledge, which is the typical complaint of acronyms

kube-system
1 replies
2h20m

there are no verb forms

Authenticate. Authorize.

alephxyz
0 replies
1h45m

Authentify is also valid but obviously leads to even more confusion

candiddevmike
0 replies
3h0m

They aren't universal because folks like the article author keep trying to make fetch happen. Authentication, Authorization, and Accounting (AAA) are bedrock security concepts. They sound fine out loud, and I have no idea why a verb form would be a requirement for an abbreviation.

kazinator
0 replies
2h48m

Never heard of it.

Just don't use the "auth" contraction for "autorization". Only for authentication. Or not at all.

The system state which grants access to a resource based on a user's credentials is "permissions".

Authentication is the process of establishing belief in the user's credentials.

Authorization is the human assigned permission to a resource which may or may not be reflected by permissions. Incorrectly set permissions can allow unauthorized access to a resource.

E.g. if /etc/shadow is accidentally made rw-r--r--, that doesn't mean everyone is authorized to access the password hashes. Doing so may still violate the organization's IT policy.

bazil376
8 replies
2h58m

I like it. The distinction between Authn and Authz isn’t nearly as obviously as login and permission. Sometimes I feel like we enjoy fancy terms more than we enjoy unambiguous terms.

lelanthran
3 replies
2h27m

Sometimes I feel like we enjoy fancy terms more than we enjoy unambiguous terms.

Could be we just enjoy precision more than anything else.

For lay people, maybe authn and authz are poor words. For those of us working with those words, they're a lot better than login and permission. I don't really want to call a function to get a "permission code" instead of an "authorization code".

ghnws
2 replies
1h26m

Authorization code? Do you mean authentication?

lelanthran
0 replies
1h5m

I don't mean authentication. An authorization code is something that is handed out to already authenticated identities.

danielmarkbruce
0 replies
1h11m

No, they probably don't. They probably know exactly what they are saying.

cpdean
1 replies
2h2m

But how else will I signal my superiority over others if I use clear language???

bazil376
0 replies
1h51m

;)

ziddoap
0 replies
1h56m

login and permission.

These words do not capture everything that authorization and authentication entail. As stated several times in this thread, permissions are specific part of what authorization entails, not the entirety.

Sometimes I feel like we enjoy fancy terms more than we enjoy unambiguous terms

Authorization and authentication are unambiguous.

coffeebeqn
0 replies
2h54m

Especially when English is not your first language. These words are long and easy to mix up

sergioisidoro
4 replies
2h36m

The problem goes way beyond any singular ecosystem and extends to the most basic standards as well.

For me one of the most confusing things about this topic is the use of "Unauthorized" in 402 [1], when the dictionary definition is about not having permission and authority to do an action [2].

So in my projects I usually use:

- 402 - Unidentified (identification) ou Unauthenticated (Authentic identity)

- 403 - Forbidden (permission)

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401

[2] https://www.merriam-webster.com/dictionary/unauthorized

yashap
1 replies
2h29m

If you’re looking to reduce confusion, I’d avoid using HTTP status codes in non-standard ways. Yeah it’s unfortunate that HTTP calls 401 “unauthorized”, but it has the meaning of “unauthenticated” everywhere else (e.g. “you have failed to prove who you are”), but basically all devs are familiar with this wart. 402 is “payment required”, using that for errors that should be 401 or 403 according to the HTTP spec is more confusing than just using 401 and 403 in spec compliant ways.

growse
0 replies
31m

You can sort of convolute a reason why 401 Unauthorized is valid, based on the fact that most systems which control access to resources have a (often implicit) policy that users for whom the identity is not known are not allowed to access anything.

Therefore the request is unauthorized because the server wasn't able to authenticate the user. But that's still not consistent with 403 though, so it's not very satisfying.

But this also speaks to one of the nubs of the terminology issue. "Actors" are authenticated, "Actions" are authorized.

onionisafruit
0 replies
1h59m

Also in the http world, the header used for authentication is called “Authorization”

Perz1val
0 replies
2h28m

- 403: I have it, but you should seek the admin to give you the right permission - 404: I don't even have that (lying)

kissgyorgy
4 replies
2h52m

I have worked with auth (:P) systems (IAM) a lot and I have never seen the problem with "auth" meaning both authorization and authentication. When more specificity is needed, just use the right phrase.

Using "login" and "permissions" are worse IMO, because they don't catch the entire meaning and complexity of these systems. Authentication means way more than login, and permissions mean very specific things for a small portion of an authorization system.

candiddevmike
3 replies
2h43m

Indeed, Authorization includes things like license checks, time of use restrictions, etc.

hu3
2 replies
1h18m

Authorization includes things like license checks, time of use restrictions, etc.

permission to use X license... (or whatever license check means in this context)

permission to use at X time...

macspoofing
1 replies
1h7m

Of course, if you could just wave your magic wand and change the meaning of commonly understood words, you can make the semantics work. Unfortunately, you can't. In this case, "permission to use at X time" does not have the same meaning as "permission to perform action X".

hu3
0 replies
33m

I don't understand why would a magic wand or semantic gymnastics be required.

One can implement different kinds of permissions for a given resource. Including ones related to license or time constraints.

zdw
2 replies
3h2m

Most places I've worked have standardized on AuthN and AuthZ as shortcuts for Authentication (login) and Authorization (permissions).

Do other folks have different experiences?

blatherard
0 replies
3h1m

The article is specifically arguing against using "auth" or "authn/authz"

PKop
0 replies
2h57m

"Most places say AuthN and AuthZ" is what the post is arguing against.

mcqueenjordan
2 replies
2h41m

I prefer AuthN and AuthZ.

I don't think sharing a prefix/root implies that they're the same thing.

Also, I don't think the suggested "permissions" and "login" terminology would work for all AuthN/Z schemes. For example, when exactly do you "login" when calling an API with a bearer token? Doesn't work for me.

tanseydavid
1 replies
2h16m

> I don't think sharing a prefix/root implies that they're the same thing.

I think the complaint is that the the shared prefix/root causes the two words to be less distinct from each other

> For example, when exactly do you "login" when calling an API with a bearer token? Doesn't work for me.

In my mental model, you "login" to the API when you provide the bearer token.

While I would agree that this is "stretching" the meaning of the word login quite a bit, passing the bearer token serves the same functional purpose as a human keying a UID / PW combo.

rangerelf
0 replies
1h35m

In an activity where words have specific meanings and should be used in their correct place in order to prevent miscommunication of intent or purpose, "stretching the meaning" of a particular technical term can only bring confusion (and bugs).

Authentication and Authorization are correct and complete terms that have separate but related meanings, personally I don't feel them to be confusing at all.

The entire article feels like whining because the author stubbed his toe against a corner.

Lay people need explaining these concepts using non technical words? Of course, that's what documentation and manuals are for. "WE" are not lay people, and we should understand what their meanings are.

chaos_emergent
2 replies
1h46m

Maybe instead of overloading the shorthand with two definitions, it's best to just use the actual words.

steve_adams_86
1 replies
1h36m

I agree.

I feel like this is trying to simplify something that can’t be simplified so easily, and perhaps shouldn’t be. The desire to reduce such a complex and broad problem space suggests to me a lack of understanding of what a simplification entails. Using these different words may only present confusion in other directions.

Login isn’t always what authentication is about. In fact, I recently wrote an authentication layer for identifying users based on something that would have been sent to their email, but they don’t exist as users in the system yet. They can’t log in. They don’t even need to in order to utilize this authentication layer. So it isn’t login, yet it’s a form of authentication.

Permissions is a good word I guess, but it’s as specific as authorization. Why change it?

Maybe I like auth because it’s familiar. I am open to new ideas though. This one just doesn’t seem to make sense.

danielmarkbruce
0 replies
49m

100%. The problem with an issue like this is that there are people who work in the field and know how complex it is and know all the terms and know no matter what terms you try to boil it down to there will be confusion because you simply cannot properly represent so much stuff in two words, let alone one. Then there are people who sort of work around the edges of such systems but don't really see how complex it is and hence come up with superficially sensible sounding things that will just cause confusion in some other way.

jmull
1 replies
2h25m

Isn't there are rather obvious solution to this "problem"?

When we need to be clear, let's call authentication and authorization... authentication and authorization.

spiderice
0 replies
1h16m

The solution to authentication and authorization being hard to keep straight is to keep using authentication and authorization?

How is that a solution?

jmsgwd
1 replies
2h32m

This sucks... authorization and permissions are not the same thing.

Permissions are rights or privileges, which exist independently of their assignment to particular users.

Authorization, on the other hand, can have two meanings - both of which relate to _assignment_ of permissions to users (preferably via groups or roles):

1. The process of assigning permissions to users, as in "you need to be authorized to do that".

2. The process of confirming whether a user has the necessary permissions to perform some action.

The second meaning can also be referred to as access control (or more precisely, runtime access control). It's what applications typically do after authenticating users. Hence, if you want an alternative to "authorization" in the runtime verification sense, the term "access control" might be appropriate.

On the other hand authN and authZ are perfectly adequate and well-understood.

Since the term "authorization" always relates to a (direct or indirect) binding between permissions and users, it makes no sense to use the term "permissions" as a substitute for "authorization".

jmsgwd
0 replies
1h17m

As an example, look at how NIST define "permission" in one of the early RBAC papers: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir6192.pdf

Here "permission" is defined as an "Operation/Object pair" - for example, read/write/execute access to a particular file. But crucially, there's no user involved (yet). That's where authorization comes in. When a permission becomes associated with a user (in this case via roles), you have authorization.

This sense of the word "permission" has now become very well established in the field of identity and access control.

efitz
1 replies
2h51m

NB Security practitioners typically never say “auth” due to the ambiguity; we typically say “authN” or “authZ” for clarity, or use the actual terms authentication and authorization.

bee_rider
0 replies
2h2m

As an insecurity person I sort of like the name clash. I’m not smart enough to keep those things separate, so realistically, if I’m giving somebody the ability to authenticate I’m also giving them authorization for normal account stuff.

xyst
0 replies
2h56m

“authn” and “authz” are sufficient to use between technical people.

But using “login” and “permissions” for explaining concepts to general populace is perfectly fine as well.

unixhero
0 replies
24m

Instead of plural accesses we should say entitlements

treflop
0 replies
1h25m

Permissions to me is about setting a policy and authorization is applying that policy.

I have never wanted to use them interchangeably.

thayne
0 replies
21m

This terminology implies that the two concepts, authentication and authorization, are more closely related than they are.

But they are closely related. You can't really have authorization without some form of authentication. Both are tied to some kind of identity. And in some cases, such as SSO, authentication involves authorization from another system.

Also, login is not a good replacement for authentication, because there are forms of authentication that don't involve logging in at all. And often the act of logging in just exchanges one set of authentication credentials (username and password or equivalent) for another, shorter lived, set (token, cookie, etc.)

Finally, one nice property of using authz and authn is that you can use "auth" to mean "authentication and authorization", since the two often go together.

tekchip
0 replies
2h59m

Auth is what you went for when "cloud" or any number of more widely used ambiguous terms are out there? That said I think dialing back the use of technical terms watered down by the marketing team would be fantastic.

steve_adams_86
0 replies
1h31m

I think this only works in limited versions of these auth systems. If that’s what you want, great. Some packages for various languages already exist for this purpose. They’re incomplete auth systems, though.

There are more modes of authentication than logging a user into a system or referencing their proof of authentication after login. It’s certainly the most common use case, but authentication can occur using other forms of proof that you’re willing to trust.

For example, someone in your system invites people to do something via email. Once these people authenticate by entering a code sent to their email address, you trust that they can access a file based on a cookie you’ve set. However, they are not logged in because they don’t have an account. You would not do this with a login system. You’d do it with an authentication system.

spenceryonce
0 replies
1h25m

Yes

ratiolat
0 replies
2h27m

Agree with the article. The worst offender is probably Oauth providing endless confusion to developers and end users

pseudocomposer
0 replies
13m

I think it should be “authentication” and “permissions.”

There’s pretty much no word in the English language to describe login/account creation/etc than “authentication.” The word “login” is a poor substitute. There are no good synonyms for “authentication” that encompass all its applications in computer systems.

Meanwhile, there are already lots of synonyms used for “permissions.” Given the abundance of these, and the lack of synonyms for “authentication,” choosing “authorization” to describe permissions is, frankly, an asinine decision. It adds unnecessary cognitive overhead for everyone.

(That’s not to say there’s no place for, say, Unauthorized responses, etc. Just that we should be calling the topic “permissions” or really anything other than “authorization.”)

progx
0 replies
2h29m

So we are back to the most difficult things in programming: naming things.

potus50
0 replies
42m

Honestly, Im tired of people telling me how to talk. What if instead of policing language we educate people on the differences between authentication and authorization and best practices for implementation? I think you’re onto the problem, but artificial language enforcement isn’t going to fix it.

oaiey
0 replies
41m

I do not like it. AAAA is a good abbreviation for the necessary principles authentication, authorization, access and audit.

LPAA... Is just not right.

netfl0
0 replies
1h58m

No.

nailer
0 replies
3h2m

Most computer systems we interact with have an auth system of some kind. The problem is, that sentence is at best unclear and at worst nonsense. "Auth" can mean at least two things: authentication or authorization

Yes, that was the point of using auth.

mkroman
0 replies
2h54m

"Permissions" seem too specific a term to use as a general term. It's something I'd use to describe the specific rights a role may have in role-based access control, and not authorization as a whole. I'll stick to authn/authz for abbreviations, auth for both or if it's not specific, and if it's for documentation or cross-department communication I'll just write the whole word.

mikl
0 replies
2h59m

Ah yes, the good old “the jargon for X is confusing, let’s add more jargon”.

macspoofing
0 replies
1h11m

I get what you're doing, but the problem is that "login" and "permissions" are ambiguous in the context of Identity Management. For example, "Delete-User" is a permission that defines some 'permitted action', but it does not imply "Administrator" role or a set of policies that should be governing access to some resources. So by trying to fix one semantic issue, you're introducing a bunch of other ones.

libria
0 replies
3m

We carry a physical analog of this in real life: work badge. My policy-enforced visible picture identifies who I am and that I match that photo and also gatekeeps me into and out of places I'm allowed to enter.

terminology implies that the two concepts, authentication and authorization, are more closely related than they are ... There are some links ... because what you can do is tied to who you are. But they're also very different

AuthZ being entirely dependent on AuthN is not "some links". That's an unbreakable dependency.

I can agree that these two words being a single letter apart are easy to conflate though. But as they are related, we're more likely to increase training/education around the concept rather than rename them.

layer8
0 replies
1h55m

“Login” implies a state change, which “authentication” doesn’t.

“Authorization” can refer to a process, which “permissions” doesn’t.

jameshart
0 replies
2h50m

If you think ‘auth’ is confusing in an access management context, wait til you implement a payment system and discover that credit cards have an ‘auth’ process that has nothing to do with your user identity or user permission checks. A credit card auth is not ‘authenticating’ the card holder, or determining if they are ‘authorized’ to charge to a particular card. It is instead the process of being given authorization to capture funds from a payment instrument.

iandanforth
0 replies
1h29m

Totally agree with this article and I'll try to use these words.

habitue
0 replies
2h25m

Sometimes someone just points out the obvious, and it's obviously a good solution. I'm happy to never use authn or authz again, good riddance.

gchamonlive
0 replies
2h23m

This is a widespread problem, and it's well known. One common solution, using the terms "authn" and "authz", doesn't solve the problem. And this isn't just confusing, it leads to bad abstractions and general failures!

Well, in written language, authn and authz aren't mistakeable. In spoken language, I never heard anyone say authn or authz, but their fully developed versions.

And about bad abstractions, I believe that has less to do with bad naming and more to do with the fact that authenticating and permissioning is hard to express, develop and to scale in a secure and reliable way.

I think a better use of time is to worry less about how to rename these moving parts and spend more energy studying the pitfalls like the confused deputy problem and how it could apply to your specific domain or use case.

chefandy
0 replies
1h7m

Between dev and administration/ops work, I spent a couple of decades in the deep end of the tech pool. As we know, it's packed with layers of interconnected archaic, arbitrary and confusing terminology. I understand the resistance to renaming things – the cognitive overhead of learning new terms is real. However, when you remove decades-irrelevant technical limitations and contrived entomological justification, the reason for sticking to old, confusing names often boils down to "because I already know it." Many feel learning it all has earned them this machismo-driven badge-of-nerd-honor, and people advocating for more straightforward terminology are often viewed as weak, lazy, or incompetent. That's convenient for us, but hindering future generations and confusing non-technical users has a cost. For a field so focused on progress, this resistance to improving terminology is strange. While I don't advocate for constant change, or change for its own sake, we should challenge "because, that's the way it's always been" as a justification for not making things better.

brhsagain
0 replies
12m

I've always heard "auth" to mean authentication and "perms" to mean authorization.

bongodongobob
0 replies
2h33m

We do in infra/infosec/sysadmin. Sounds like a dev that just isn't familiar with the territory. That's why we have different departments.

badgersnake
0 replies
2h45m

I lead on the team responsible for auth on our product, and we just go with authN and authZ when we don’t mean both.

archsurface
0 replies
2h32m

'"Auth" can mean at least two things: authentication or authorization' - the two words you should be using.

WhitneyLand
0 replies
1h36m

This article took some time to think through, reason about and write, likely with years of experience as a prerequisite.

Some articles/proposals like this are beyond what current AI could offer, but it’s interesting to see which ones.

Asking Gpt4o, it gives:

Authentication: Verify Authenticate Login

Authorization: Authorize Permission Access

So in this case, it was able to offer the same suggestions as the author as well as some of those from the comments below.

Giorgi
0 replies
2h11m

And script, instead of "app".

EGreg
0 replies
2h26m

On a mildly related note, I have been doing NUMEROUS things lately in order to speed up our PHP-based social network platform, so it would load super-fast and handle a lot of traffic on one machine. They include:

1. Inlining all CSS and HTML if there is no session cookie. (But not JS because people just need to see the page as soon as possible, and JS doesn’t have to get in the way)

2. Having a service worker store all the inlined files, so next time they are loaded from the cache. But change back the @import() statements in CSS (because the CSS file may be at a different path and sadly the stylesheets don’t have a way to set a <base>)

3. Using Q.getter() for caching and throttling, Q.batcher() for batching requests. All people have to do is request individual objects and the system will batch them (in groups of 50) so the PHP can do queries about many rows.

4. A PHP script to go through with multicurl and render various pages to static HTML (for top-level) and JSON (for dynamic requests). There are two versions of the HTML: a) when there is no session cookie and b) when there is. Both versions of the HTML insert a <base> tag, because they may be placed in a different path so as not to pollute the directory.

5) But when the session cookie is authenticated, the value begins with “Q_sessionId_authenticated_” as opposed to just “Q_sessionId” so the server (eg NGINX) knows to hit the actual PHP and not just serve the static files.

6. Have PHP check whether a path was rendered to static, check the above rules and 302 redirect, for people who use commodity hosting and can’t change the webserver configs. It’s a but slower but at least the PHP exits early.

7. Speaking of exiting early, every session ID is generated by the PHP script and signed with an HMAC (secrets are stored in local/app.json which is listed under .gitignore and .hgignore so it’s never accidentally checked into repos). That way when a request comes in, the code quickly checks the sessionId and rejects if it’s bogus. This can protect against DDOS, eg with cloudflare workers at the edge.

8. Speaking of CDNs. We have a system to map any subpath to any URL, including external CDN URLs so you can host various CSS/JS/image packages elsewhere, and not need to have your server be an origin server

9. We also have bundle.php to bundle everything for app stores. Think of it as a longer-duration CDN cache. We then save the cache timestamp during build time and send it a Q.ct cookie during requests (eg from a Cordova app). If the css/js/png/other file on the server is newer, it is referenced from a URL with a newer ?Q.cb={{timestamp}} for cache busting.

10. We have an update.php script to generate updates / releases of the app, which goes through each changed static file in the public directory (including traversing symlinks) and records its timestamp. We also have an option to record its content hash (for subresource integrity checks).

11. We have a way to upload / download PHP code from the Internet without having to log in with SSH etc. This allows updating the software packages even on commodity hosting. The packages contain resources that can override previous resources. But they are only loaded after checking the cryptographic signatures — there have to be at least two, taken from a list of audit organizations that the sysadmin trusts. We ship a list that we trust but the sysadmins can change them (eg if they suspect the auditing companies are under our control).

This post has become too long. You can see much more info on our forums if you’re interested

https://community.qbix.com/t/qbix-websites-loading-quickly/2...

1970-01-01
0 replies
3h2m

90% of development and IT is knowing acronyms and abbreviations. The other half is skills.