What? Authentication and Authorisation are different from one another!
Ever encountered 401 Unauthorized and 403 Forbidden on the postman or WordPress? Many budding testers often get confused between these two error codes and classify them as “some kind of client-side error”.
Here, I’ll try to clear the misconceptions about these two client-side errors and explain, How Authorisation is different from Authentication?
Let’s understand the terms by an example,
Suppose, you want to enter a building. While entering, the security guard would ask you two questions
The first question would be -“Who are you?”
Here, he is asking so as he could authenticate you and for proof, you’ll show identity credentials, like any membership card or maybe a driving license. If you lacked any kind of validity, you won’t be allowed to enter the building, else you can easily enter it.
It's also very cool to notice that 401 Unauthorized error only have the term ‘Authorize’ in its name but it actually occurs in case of missing ‘Authentication’.
Now, there can be a case that you are an authentic user and still getting 401 Unauthorised error. Some reasons could be your wrong URL, wrong login credentials, connectivity issue, a problem with hardware configurations or simply you could just clear your browser’s cookies and cache.
Now getting back to what would be the security guard’s second question, it would be — “What you can do?”
Here, the security guard understood that who are you and wanted to know what all rights/access you have. It may be that you don’t have the proper permissions for some reason. Hence, the 403 Forbidden error occurs when your web server understands the request that the client (i.e. your browser) is making, but the server will not fulfil it. Hence re-authenticating will not be of any use.
This error can be solved by checking the permissions you have for the resource you wanted to access, or you could deactivate and then reactivate your plugins.
The most up to date RFC Standard defining 401 (Unauthorized) is RFC 7235
The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource…The user agent MAY repeat the request with a new or replaced Authorization header field.
Whereas 403 (Forbidden) is most recently defined in RFC 7231
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it…If authentication credentials were provided in the request, the server considers them insufficient to grant access.
