What is the difference between an Authorization ID and a Authentication ID?
---------------------------------------------------------------------------

**Authentication** is the act of proving who you are. "Hello, I'm Dave. To 
prove it, here's my password: Foo." 

**Authorization** is the act of deciding 
whether to grant access to resources. 

:: 

    "I'd like to read Kellie's mail for her." 

In the example, I'm trying to read my wife's mail. I supply my own 
username as the "authentication identifier", my own password (Or 
biometric scan, or whatever else is required to prove I'm really me, 
with whichever mechanism is in use), and my wife's username as the 
"authorization identifier".

At no point need I know my wife's password - instead, either Kellie or 
an administrator needs to explicitly state that I am allowed in "as 
Kellie". Once I've logged in, all the access checks are done against 
Kellie, not against Dave, because I'm acting for her. To all intents and 
purposes, after the authentication exchange itself, the server can 
simply forget about who authenticated - it's not important any more - 
and concentrate on who needs to be authorized. 

Another, more common example of the use of differing authentication 
identifiers and authorization identifiers is in the design of many proxy 
systems. You authenticate perfectly normally to the proxy, authorizing 
as yourself. The proxy then authenticates to the master as itself, but 
supplies you as the authorization identifier, thus getting all the right 
access checks done at source, but not having to have access to your 
authentication credentials. Finally, some mechanisms don't support 
passing a distinct authorization identifier, and for most its optional, 
and defaults to the case that most people are familiar with, where 
authorization and authentication identifiers are the same.