Authentication – when you ask someone who they are and you get its identity.
Authorization – decide what identity is able to do.
You can authenticate but you don’t have to authorize.
You can authorize without having any authentication.
Two main HTTP codes in web security:
401 – Unauthorized – You are not authenticated
403 – Forbidden – You are authenticated but you don’t have access
ASP.NET Authorization workshop