Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Django : DRF Token based Authentication VS JSON Web Token

Tags:

json

rest

django

django-rest-framework

tastypie

I am building a real world application where users will access the app primarily from Android, iOS devices as well as Desktops.

From my elementary research, I have realized that token based authentication mechanism is more better and elegant for client-server models as compared to session based authentication.

In Django, I have found two popular ways to do this -

  1. http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
  2. http://getblimp.github.io/django-rest-framework-jwt/

From what I understood, option 2] is an extension of 1] except that the Token is in the form of JSON(serialized). I would like to understand what other differences there are between option 1] and 2] and the advantages/disadvantages of choosing either.

like image 410
anon Avatar asked Jul 24 '15 00:07

anon

People also ask

Which authentication is best in Django REST framework?

JSON Web Token Authentication Unlike the built-in TokenAuthentication scheme, JWT Authentication doesn't need to use a database to validate a token. A package for JWT authentication is djangorestframework-simplejwt which provides some features as well as a pluggable token blacklist app.

What is JWT token in Django REST framework?

Simple JWT provides a JSON Web Token authentication backend for the Django REST Framework. It aims to cover the most common use cases of JWTs by offering a conservative set of default features. It also aims to be easily extensible in case a desired feature is not present.

How token-based authentication works in Django?

Token authentication refers to exchanging username and password for a token that will be used in all subsequent requests so to identify the user on the server side. This article revolves about implementing token authentication using Django REST Framework to make an API.

1 Answers

They both carrying out similar tasks with few differences.

Token

DRF's builtin Token Authentication

  1. One Token for all sessions
  2. No time stamp on the token

DRF JWT Token Authentication

  1. One Token per session
  2. Expiry timestamp on each token

Database access

DRF's builtin Token Authentication

  1. Database access to fetch the user associated with the token
  2. Verify user's status
  3. Authenticate the user

DRF JWT Token Authentication

  1. Decode token (get payload)
  2. Verify token timestamp (expiry)
  3. Database access to fetch user associated with the id in the payload
  4. Verify user's status
  5. Authenticate the user

Pros

DRF's builtin Token Authentication

  1. Allows forced-logout by replacing the token in the database (ex: password change)

DRF JWT Token Authentication

  1. Token with an expiration time
  2. No database hit unless the token is valid

Cons

DRF's builtin Token Authentication

  1. Database hit on all requests
  2. Single token for all sessions

DRF JWT Token Authentication

  1. Unable to recall the token without tracking it in the database
  2. Once the token is issued, anyone with the token can make requests
  3. Specs are open to interpretations, no consensus on how to do refresh
like image 79
un33k Avatar answered Sep 18 '22 22:09

un33k
Sign in to Comment

Related questions

json unmarshal time that isn't in RFC 3339 format
Is default no-args constructor mandatory for Gson?
How to filter array of objects by element property values using jq?
How to parse a JSON object to a TypeScript Object
How to define Typescript Map of key value pair. where key is a number and value is an array of objects
Javascript long integer
how to remove json object key and value.?
How to read HttpResponseMessage content as text
Python 3, read/write compressed json objects from/to gzip file
Deserializing JSON to abstract class
Jackson JSON: get node name from json-tree
npm notice created a lockfile as package-lock.json. You should commit this file
Best REST Client Framework/Utility on Android [closed]
Why use XML(SOAP) when JSON so simple and easy to handle?
Spring REST multiple @RequestBody parameters, possible?
Add element to a JSON file?
How to define the min size of array in the json schema
Jackson deserialize ISO8601 formatted date-time into Java8 Instant
AngularJS - Server side validation and client side forms
How to check the type of a value from a JSONObject?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!