Authentication:
I don’t know who you are, so, you are not allowed to enter the premises.
Authorization:
I know who you are, you are allowed to enter the premises. However, you do not belong to the accounting department hence you are not allowed to perform any action like accessing resources in this section of the premises.
Authorization is all about what you can do.
When you work with any web technologies, be it server-side UI generation or serving API. They always provide you interceptors (The components who intercept the HTTP request) to perform these checks.
These interceptors may be called as HttpModules, Middleware and so on.
In ASP.NET, we could achieve it using pluggable HTTP modules or C# attributes, and so on.
In ASP.NET MVC or WebAPI, we could authenticate or authorize request using Authentication and Authorization filters at the controller action level, controller level or at the global level.
Don’t forget to return below HTTP status code from web API if a request fails to authenticate or authorize.
401 UNAUTHORIZED
Don’t confuse with unauthorized. It says valid authentication credentials for the target resource are missing, Authentication failed.
403 FORBIDDEN
It means the server understood the request but refuses to authorize it.
