Don't Bundle AuthN and AuthZ Just Because It's Convenient

In exploring the distinct roles of authentication and authorization, the text highlights the architectural challenges that arise when these two processes are conflated. Authentication, which establishes identity through standards like SAML, OIDC, and LDAP, is focused on verifying who a user is, while authorization determines what actions that user can perform within a system. This differentiation is crucial as authentication is standardized and centered on interoperability, whereas authorization is inherently flexible and tailored to specific business logic and resource relationships. The text argues that using Identity Providers (IdPs) for authorization can lead to inefficiencies and complexity due to their inability to handle fine-grained, dynamic permissions required by modern applications. Instead, it suggests decoupling the two processes, advocating for an Authorization as a Service (AaaS) model that allows for independent policy management, better testability, and domain-specific logic, ensuring that access control remains adaptable and effective as systems evolve.