Hi there,

Thanks for your response. You are correct in some cases. But in other cases, there is an important difference. Cases i've run into are applications where civilians log into applications. Like an overview for a pension fund for example. Every citizen in the country can *authenticate* in such an application. That's what i was trying to point out: the difference between authentication and authorization and the thin line between these two concepts.

Also, like you are pointing out: not providing a person credentials is also a way of authorizing a person to use a service. And that's where the lines get blurry. Have you authorized a person by granting permission? Or are those credentials for authentication purpose only? It's important to know that amongst the colleauges in a business.

I've learned in some businesses that it's important to be very explicit about the details of the authentication and the authorization flow because that's where things might go wrong..

Hope this makes the message i was trying to convey a bit more clear.

Again, thanks for your response!

Cheers.