It is one of the most basic things to make sure, right people can access right resources/services in the system.

Often I have seen people getting confused with the terminology....

• Authentication is the process of verifying who you are. When you log on to a web/mobile application with a user name and password you are authenticating. Authentication is about who somebody is. 

• Authorization is the process of verifying that you have access to something. Gaining access to a resource (e.g. if you are admin, you can access billing area of the product vs if you are basic user, you can only access reporting dashboard) because the permissions configured on it allow you access is authorization. Authorization is about what they're allowed to do. 

When you build distributed systems that has Web UI, Mobile Clients or Third Party API components, it is important to think about how to build secure backend from day-one. Otherwise you will lend up multiple systems with building AA systems for each clients(most likely in legacy systems).

So, obviously one needs to think how would I build from ground up Vs how to migrate existing system when I add a mobile interface or API interface.

There are various third party software stacks available like Ping Identify(costs lot of money) for enterprise...Or You can build your own using Spring framework(hard to scale). Or if your service is using on AWS, you can use their own.

Then people start thinking about how AA works?. What does O-Auth2 means...Most developers don't need to know about it, as they are hidden from implementation. However if you are an chief architect, you need to know about it or you have to rely on your platform services architect/team.

Learn more,