Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JWT (Json web token) Vs Custom Token

I was looking through the questions but I did not find anything which could solve my doubt. I found extensive information about JWT, but not much when comparing the advantages JWT could offer over generating a custom token to authentication requests against REST services.

What is the advantage to use a JWT (Json Web Token) over generating a custom generating token ? To generating the custom token I could use some hashing strategy or some unique random number generator.

If I generate a custom token, Could I have any security concerns ? Would you recommend to use any other authentication mecanism ?

Thanks!

like image 280
Deibys Avatar asked Jul 30 '15 17:07

Deibys


People also ask

Why JWT is called JSON Web Token?

“A JSON Web Token (JWT), pronounced 'jot', is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS)”.

What is the difference between JWT and token?

JWT is a different approach which uses encryption and hashing techniques to validate the token instead of database checks. It starts the same as token auth, by sending the username and password and validating it against the database.

What is so special about JSON Web Tokens?

JWT, or JSON Web Token, is an open standard used to share security information between two parties — a client and a server. Each JWT contains encoded JSON objects, including a set of claims. JWTs are signed using a cryptographic algorithm to ensure that the claims cannot be altered after the token is issued.


1 Answers

JWT tokens contain claims, which are statements about the subject (for example the logged in user). These statements can be things like name, email, roles etc. JWT tokens are digitally signed and not vulnerable to CSRF attacks.

These two characteristics make sure that the service receiving the token does not need to go back to the issuing authentication server to verify the validity of the token or get information about the subject.

This increases the ability of a system using JWT tokens to scale in a significant way. JWT tokens do require a secure transportation channel (HTTPS).

The downside of this is that tokens cannot be revoked (as there's no central server guarding over these tokens). That's why tokens typically have a short lifetime.

Tokens holding a session id on the other hand do need to contact the authentication server to validate the token (usually database lookup) and retrieve information on the subject (another database lookup).

Validation of HMAC tokens requires the knowledge of the secret key used to generate the token. Typically the receiving service (your API) will need to contact the authentication server as that server is where the secret is being kept.

HMAC tokens and session ids are typically stored in cookies. Cookies cannot be used for cross-domain service calls and need to be protected against CSRF attacks.

like image 196
MvdD Avatar answered Sep 24 '22 20:09

MvdD