All labs
Lab 62
Secure Architecture

Authentication vs Authorization vs RBAC

Three words people blur together, separated cleanly. Send a request through two gates — Authentication (who are you?) then Authorization (are you allowed?) — and see RBAC as the mechanism that decides the second. Watch a valid login still get denied the wrong action.

Set the token, the user's role and the action, then send the request through the two gates. The headline moment: a valid login can still be forbidden the wrong action.
Token (authentication)
Role
Requested action
📨
request
🔑
Authentication
who are you?
🛡️
Authorization (RBAC)
are you allowed?
📦
resource
🔑 Authentication
Who are you?
Login, validated JWT, MFA. Proves identity. → 401 if it fails.
🛡️ Authorization
Are you allowed?
A separate decision per action/resource. → 403 if denied, even when logged in.
📋 RBAC
How authz decides
Roles → permissions. The mechanism that turns 'who' into 'allowed or not'.
What just happened