[TOC] # 簡介 >Authentication 一般指身份驗證，又稱“驗證”、“鑒權”，是指通過一定的手段，完成對用戶身份的確認。 >Authorization 一般是授權、委托的意思，向…授予職權或權力許可，批準等意思。 所以你可以看一下 Laravel 的文檔 1. [Authentication](https://laravel.com/docs/5.4/authentication) ，主要講的是和登錄相關的內容。 2. [Authorization](https://laravel.com/docs/5.4/authorization) ，主要講的是權限相關的內容（注意，Gates 和 Policies 都必須是在用戶登錄后才有意義，如果沒有登錄態，直接返回 false）。 講完這個在說一說對應的 Http Status Code： 1. Authentication：未登錄的時候調用需要登錄的接口，一般使用 401 Unauthorized。 2. Authorization：登錄后請求沒有權限的接口，一般使用 403 Forbidden。 那么肯定有同學問了，為什么 401 是 Unauthorized 而不是 Unautheticated 呢？這不是坑人嗎？事實上，參考 RFC，好像確實是弄錯了。 >There’s a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticate header that describes how to authenticate. > >This is a response generally returned by your web server, not your web application. > > It’s also something very temporary; the server is asking you to try again. > > So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401. > > Receiving a 403 response is the server telling you, “I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes.” > > In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.