Little pig, little pig, let me in.
—The wolf in the story of the Three Little Pigs
You don’t really log in to an application in order to be handed the keys. Authentication is just the first step. You have informed the framework as to who you are, which is fine. But now it must take that information and match it against established policies in order to govern what actions you are able to perform after that. This is called authorization. The difference between authentication and authorization is subtle. Think of it this way.
When you authenticate, you’re going to the coat room and ...