Distinguish Authentication and Authorization

[aaronc]

Summary

• [ ] Rename x/auth -> x/authn
• [x] Rename the x/msg_authorization module (#7105 #7370) -> x/authz

Problem Definition

We will have two modules with the abbreviation auth in their name but which deal with two slightly different concerns.

x/auth deals primarily with "authentication". From Oxford authentication is

the process or action of verifying the identity of a user or process.

x/msg_authorization deals with what an "authenticated" user is "authorized" to do. From Oxford authorization is

a document giving permission or authority

Which seems pretty consistent with what x/msg_authorization does.

Proposal

There is a fair amount of precedent for using authn and authz as abbreviations for authentication and authorization respectively, as well as for auth alone being confusing:

• https://lists.oasis-open.org/archives/security-use/200101/msg00042.html
• https://english.stackexchange.com/a/2953
• https://en.wikipedia.org/wiki/Web_API_security
• https://www.cyberark.com/resources/blog/distinguishing-authentication-vs-authorization

So how about x/auth becomes x/authn and x/msg_authorization becomes x/authz?

---

For Admin Use

• [ ] Not duplicate issue
• [ ] Appropriate labels applied
• [ ] Appropriate contributors tagged
• [ ] Contributor assigned/self-assigned

[alexanderbez]

ACK

[clevinson]

👍

[anilcse]

ACK

[fedekunze]

I don't understand why are we introducing such a breaking change. Couldn't we just name the authz module authorization instead? This is clearer as the authn/z abbreviations could be read as auth-n auth-z by non native english speakers.

[clevinson]

I don't see an issue with reading as auth-n and auth-z. Is that really a problem? The important piece is to dimabiguate them from eachother.

We originally were just calling authz authorization, but having two modules (x/auth and x/authorization) is what was causing the initial confusion.

[fedekunze]

why don't we just rename authz to authorization? SDK devs are already familiar with the auth module and what it does... My take on this is that the breaking change is just not worth it

[aaronc]

why don't we just rename authz to authorization? SDK devs are already familiar with the auth module and what it does... My take on this is that the breaking change is just not worth it

One (possibly bad) reason not to do this is because it makes protobuf type URLs longer - cosmos.authz vs cosmos.authorization

We could also have auth and authz and just not do the rename of auth -> authn

[fedekunze]

We could also have auth and authz and just not do the rename of auth -> authn

I don't have a strong opinion on the authz renaming, but I'm strongly against the auth -> authn renaming because it's such a large breaking change for other applications

[aaronc]

@alexanderbez do you have any thoughts here? We moved forward because you ACK'ed but I would be fine keeping auth as is if there's strong opposition. @alessio ?

[alessio]

IMHO authn is a better name. I agree with @fedekunze though, I suspect the change wouldn't be very warmly welcomed by application developers. How about postponing the auth -> authn renaming to Cosmos SDK v1.0?

[aaronc]

IMHO authn is a better name. I agree with @fedekunze though, I suspect the change wouldn't be very warmly welcomed by application developers. How about postponing the auth -> authn renaming to Cosmos SDK v1.0?

Totally fine to postpone it

[clevinson]

Moving to icebox as this will ideally be addressed in the x /auth & x/bank refactor. Possibly with two modules in parallel (new & old auth / authz).

[aaronc]

A proposed API for a new authn module is in #9369.