The difference between authentication methods is basically what you can expect from the content of request.env.user.

For auth='none', the user record is always empty, even if an authenticated user is accessing the path. Use this if you want to serve content that has no dependencies on users, or if you want to provide database agnostic functionality in a server-wide module.

The auth='public' value sets the user record to a special user with XML ID base.public_user for unauthenticated users, and to the user's record for authenticated ones. This is the right choice if you want to offer functionality to both unauthenticated and authenticated users, while the authenticated ones get some extras, as demonstrated in the preceding code.

Use auth='user' to ensure that only authenticated users have access to what you've got to offer. With this method, you can be sure that request.env.user points to an existing user.