<strong>Authorization</strong> determines what an authenticated user is allowed to do. It's about permissions and access control, not identity.
The Hotel Key Card
Your hotel key card proves who you are (authentication), but only opens certain doors (authorization).
Authentication
Proves you're a guest
Authorization
Which rooms you can enter
Forbidden
Can't access everything
Logged in
Can they do this?
Proceed
User Authenticated
System knows who you are
User Attempts Action
Try to delete a post, view admin panel, etc.
Check Permissions
Does this user have the right role/permission?
Grant or Deny
Allow action or return 403 Forbidden
Log Action
Record who did what for security audit
Wrong
If you're logged in, you can do anything
Correct
Authentication (login) proves who you are. Authorization determines what you can do. A regular user can't delete other people's posts even though they're logged in.
Google Docs permissions:
Authentication: You log in with Google account
Authorization: Owner can delete, Editor can edit, Viewer can only read
You try to delete a doc you don't own → 403 Forbidden
You try to edit a doc where you're a Viewer → Not allowed
Same person, different permissions for different documents