Menu
I have used ASP.NET Identity for a while now and have been looking at JWT (JSON Web Token) as they seem really interesting and easy to use.
JWT.IO has a great example/tool of debugging the token.
However, I'm not entirely sure how JWT's work on the back end, would you still use Identity?
Also how do the tokens (Bearer vs JWT) compare? Which is more secure?
618
One of the major cons of relying on tokens is that it relies on just one key. Yes, JWT uses only one key, which if handled poorly by a developer/administrator, would lead to severe consequences that can compromise sensitive information.
In essence, a JSON Web Token (JWT) is a bearer token. It's a particular implementation which has been specified and standardised. JWT in particular uses cryptography to encode a timestamp and some other parameters. This way, you can check if it's valid by just decrypting it, without hitting a DB.
JWT is mainly used for APIs while OAuth can be used for web, browser, API, and various apps or resources. JWT token vs oauth token: JWT defines a token format while OAuth deals in defining authorization protocols. JWT is simple and easy to learn from the initial stage while OAuth is complex.
Information Exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be sure that the senders are who they say they are. Additionally, the structure of a JWT allows you to verify that the content hasn't been tampered with.
JWTs are like a ticket to an attraction. It contains all the security information a server needs embedded in it. Once the server has handed it out the client just needs to present it whenever it asks for something and the server responds accordingly if it's valid.
The contents are entirely viewable, but they're signed using a secret key by the server so it can tell if they've been tampered with.
Since everything is in the JWT, and the client can present it to whomever they want, you can use it for Single Sign On as long as the different servers share the same secret so they can verify the signature.
Like a ticket, a JWT has an expiry date. As long as it hasn't expired, it's valid. This means you can't revoke them before that. For this reason JWTs often have short expiry times (30 mins or so) and the client is also issued a refresh token in order to renew the JWT quickly when it expires.
JWTs
Bearer tokens are like a guest list. The server puts the client on the guest list, then provides a pass code to identify it when it wants something. When the client provides the code, the server looks it up on the list and checks that it's allowed to do whatever it's asking.
The server has to have the list available to it so if you want to share access across servers, they either all need to be able to access the list (database), or talk to some authority that has it (auth server).
On the other hand, since they have the guest list, they can take you off it whenever they want.
Bearer Tokens
Bit of Tech has some excellent tutorials on implementing JWTs with Web Api if you want to go down that route.
http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/
137
Unfortunately The previous answer could be misleading: Bearer Tokens are the predominant type of access token used with OAuth 2.0. A Bearer Token is an opaque string, not intended to have any meaning to clients using it. Some servers will issue tokens that are a short string of hexadecimal characters, while others may use structured tokens such as JSON Web Tokens. (https://oauth.net/2/bearer-tokens/)
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
