I am starting to learn about token based authentication and I am trying to learn how to implement it in Laravel 5. I have come across two very popular technologies for doing this but I am confused since I am new to both these technologies.
This article at Medium says I should go with lucadegasperi/oauth2-server-laravel which I am sure is a very popular package in the community judging by the number of stars on Github and the number of references that have led me to it. This one is supposed to help me with OAuth implementation.
This other article at Scotch.io encourages me to use tymondesigns/jwt-auth which is also very popular again judging by the number of stars on Github.
At this point I am indecisive of which one to use mostly because I am a novice developer and I haven't worked with either of them.
Could anyone point out to me what are the pros and cons to each one of them and which one I should implement? Will my project type also dictate what kind I should use? And how?
Moreover if you are making an argument that I should choose one over the other, could you also point out good resources that would help me start with them. Other than the two links I provided myself of course.
PASETO, or Platform Agnostic Security Token is one of the most successful designs that is being widely accepted by the community as the best-secured alternative to JWT.
Although JWT does eliminate the database lookup, it introduces security issues and other complexities while doing so. Security is binary—either it's secure or it's not. Thus making it dangerous to use JWT for user sessions.
The OAuth access token is different from the JWT in the sense that it's an opaque token. The access token's purpose is so that the client application can query Google to ask for more information about the signed in user.
Unfortunately spring-security-jwt is now deprecated, and refers developers to Spring Security OAuth2 (part of Spring Security 5.2. x). Their documentation does not have any examples of using JWT without at least having an issuer service to distribute the signing key.
JWT is a simple authentication protocol, Oauth is an authentication framework.
An experienced developer will take about a month to fully understand and implement Oauth. An experienced developer can pick up the JWT protocol in about a day of reading the specifications. So basically, it boils down to your specific use-case.
If you want simple stateless http authentication to an api, then JWT is just fine and relatively quick to implement, even for a novice developer.
A few JWT resources for you:
And an Oauth resource:
JWT stands for JSON Web Token. As the name suggests, it is a token for transferring secured data as JSON between two parties.
Oauth2, on the other hand, is a set of rules or a procedure commonly called a framework that helps in the process of authenticating and authorizing two parties to transfer secured data.
Following diagram will explain how oauth2 works :-
Here is a more detailed explanation of the steps in the diagram:-
JWT and OAuth2 are entirely different and serve different purposes, but they are compatible and can be used together in transferring secure data.
Where JWT come into play in 3rd 6th steps of oauth2
Update based on comments.
We can use Oauth and JWT separately. In Oauth2, instead of JWT, we can use other token mechanisms. Likewise, we can use JWT independently to secure our API by signing them using a private secret or a public/private key. So that we can transmit authentication claims across APIs
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.
OAuth 2.0 is protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification is being developed within the IETF OAuth WG.
- The OAuth We have different types of tokens.
1) WS-Security tokens, especially SAML tokens
2) JWT tokens
3) Legacy tokens
4) Custom tokens
The most important thing to understand when comparing JWT and OAuth2, is that they are not alike. Or even incompatible.
JWT is an authentication protocol This means it is a strict set of instructions for the issuing and validating of signed access tokens. The tokens contain claims that are used by an app to limit access to a user.
**OAuth2 is an Authorization Framework ** OAuth2 on the other hand is a framework, think very detailed guideline, for letting users and applications authorize specific permissions to other applications in both private and public settings.
Few good links:
[1]: https://community.apigee.com/questions/21139/jwt-vs-oauth.html
[2]: https://youtu.be/XGmUlyggXVo
[3]: http://www.seedbox.com/en/blog/2015/06/05/oauth-2-vs-json-web-tokens-comment-securiser-un-api/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With