Authentication and authorization



I don’t know who you are, so, you are not allowed to enter the premises.


I know who you are, you are allowed to enter the premises. However, you do not belong to the accounting department hence you are not allowed to perform any action like accessing resources in this section of the premises.

Authorization is all about what you can do.


When you work with any web technologies, be it server-side UI generation or serving API. They always provide you interceptors (The components who intercept the HTTP request) to perform these checks.

These interceptors may be called as HttpModules, Middleware and so on.

In ASP.NET, we could achieve it using pluggable HTTP modules or C# attributes, and so on.

In ASP.NET MVC or WebAPI, we could authenticate or authorize request using Authentication and Authorization filters at the controller action level, controller level or at the global level.


Don’t forget to return below HTTP status code from web API if a request fails to authenticate or authorize.


Don’t confuse with unauthorized. It says valid authentication credentials for the target resource are missing, Authentication failed.


It means the server understood the request but refuses to authorize it.

Web resource

A resource on the web is everything that could be uniquely addressable/identifiable. A resource is a fundamental element on the web.

Resources are things I want to interact with on the web;  It could be web pages, images, files, audios, videos, static resources (CSS, js…), an e-mail, information from various data sources like databases, SharePoint servers, and web services, location on google map and so on.

Earlier, a resource was static file or document. Now it has gradually evolved and nearly everything that can be obtained via the Internet is termed as a resource.

URI (rather URLs) are used to find/identify/locate a resource on the web and MIME type (media types, a two-part identifier for file formats and format contents transmitted on the Internet.) to specify the representation of the resources.

The web and HTTP are both all about resources.

Everything was designed to just make things work. So that different systems (Unix like OS, Linux, Microsoft Windows, Mac OS and so on), different platforms can easily work with each other.

Example of resources: — Web page — an Image file — Audio file — Location on map
https://www.onlineshopee/items/ — Collection of items
https://www.onlineshopee/items/123e4567-e89b-12d3-a456-426655440000 — Specific item

IMO, Resources on the web are as important as Objects in object-oriented programming.

Once you understand this terminology, everything (HTTP, REST, Web services and so on) based on this concept becomes easy to understand.