What are the main differences between JWT and OAuth authentication

Question

I have a new SPA with a stateless authentication model using JWT  I am often asked to refer OAuth for authentication flows like asking me to send  Bearer tokens  for every request instead of a simple token header but I do think that OAuth is a lot more complex than a simple JWT based authentication  What are the main differences  should I make the JWT authentication behave like OAuth  I am also using the JWT as my XSRF-TOKEN to prevent XSRF but I am being asked to keep them separate  Should I keep them separate  Any help here will be appreciated and might lead to a set of guidelines for the community

User · Answer

It looks like everybody who answered here missed the moot point of OAUTH

From Wikipedia

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.[1] This mechanism is used by companies such as Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.

The key point here is access delegation. Why would anyone create OAUTH when there is an id/pwd based authentication, backed by multifactored auth like OTPs and further can be secured by JWTs which are used to secure the access to the paths (like scopes in OAUTH) and set the expiry of the access

There's no point of using OAUTH if consumers access their resources(your end points) only through their trusted websites(or apps) which are your again hosted on your end points

You can go OAUTH authentication only if you are an OAUTH provider in the cases where the resource owners (users) want to access their(your) resources (end-points) via a third-party client(external app). And it is exactly created for the same purpose though you can abuse it in general

Another important note:
You're freely using the word authentication for JWT and OAUTH but neither provide the authentication mechanism. Yes one is a token mechanism and the other is protocol but once authenticated they are only used for authorization (access management). You've to back OAUTH either with OPENID type authentication or your own client credentials

User · Answer

find the main differences between JWT  amp  OAuth   OAuth 2 0 defines a protocol  amp  JWT defines a token format  OAuth can use either JWT as a token format or access token which is a bearer token  OpenID connect mostly use JWT as a token format

User · Answer

JWT  JSON Web Tokens - It is just a token format  JWT tokens are JSON encoded data structures contains information about issuer  subject  claims   expiration time etc  It is signed for tamper proof and authenticity and it can be encrypted to protect the token information using symmetric or asymmetric approach  JWT is simpler than SAML 1 1 2 0 and supported by all devices and it is more powerful than SWT Simple Web Token   OAuth2 - OAuth2 solve a problem that user wants to access the data using client software like browse based web apps  native mobile apps or desktop apps  OAuth2 is just for authorization  client software can be authorized to access the resources on-behalf of end user using access token  OpenID Connect - OpenID Connect builds on top of OAuth2 and add authentication  OpenID Connect add some constraint to OAuth2 like UserInfo Endpoint  ID Token  discovery and dynamic registration of OpenID Connect providers and session management  JWT is the mandatory format for the token  CSRF protection - You don t need implement the CSRF protection if you do not store token in the browser s cookie

User · Answer

Jwt is a strict set of instructions for the issuing and validating of signed access tokens  The tokens contain claims that are used by an app to limit access to a user  OAuth2 on the other hand is not a protocol  its a delegated authorization framework   think very detailed guideline  for letting users and applications authorize specific permissions to other applications in both private and public settings  OpenID Connect which sits on top of OAUTH2 gives you Authentication and Authorization it details how multiple different roles  users in your system  server side apps like an API  and clients such as websites or native mobile apps  can authenticate with each othe     Note  oauth2 can work with jwt   flexible implementation  extandable to different applications

User · Answer

TL DR If you have very simple scenarios  like a single client application  a single API then it might not pay off to go OAuth 2 0  on the other hand  lots of different clients  browser-based  native mobile  server-side  etc  then sticking to OAuth 2 0 rules might make it more manageable than trying to roll your own system   As stated in another answer  JWT  Learn JSON Web Tokens  is just a token format  it defines a compact and self-contained mechanism for transmitting data between parties in a way that can be verified and trusted because it is digitally signed  Additionally  the encoding rules of a JWT also make these tokens very easy to use within the context of HTTP  Being self-contained  the actual token contains information about a given subject  they are also a good choice for implementing stateless authentication mechanisms  aka Look mum  no sessions    When going this route and the only thing a party must present to be granted access to a protected resource is the token itself  the token in question can be called a bearer token  In practice  what you re doing can already be classified as based on bearer tokens  However  do consider that you re not using bearer tokens as specified by the OAuth 2 0 related specs  see RFC 6750   That would imply  relying on the Authorization HTTP header and using the Bearer authentication scheme  Regarding the use of the JWT to prevent CSRF without knowing exact details it s difficult to ascertain the validity of that practice  but to be honest it does not seem correct and or worthwhile  The following article  Cookies vs Tokens  The Definitive Guide  may be a useful read on this subject  particularly the XSS and XSRF Protection section  One final piece of advice  even if you don t need to go full OAuth 2 0  I would strongly recommend on passing your access token within the Authorization header instead of going with custom headers  If they are really bearer tokens  follow the rules of RFC 6750  If not  you can always create a custom authentication scheme and still use that header   Authorization headers are recognized and specially treated by HTTP proxies and servers  Thus  the usage of such headers for sending access tokens to resource servers reduces the likelihood of leakage or unintended storage of authenticated requests in general  and especially Authorization headers    source  RFC 6819  section 5 4 1

User · Answer

JWT is an open standard that defines a compact and self-contained way for securely transmitting information between parties  It is an authentication protocol where we allow encoded claims  tokens  to be transferred between two parties  client and server  and the token is issued upon the identification of a client  With each subsequent request we send the token   Whereas OAuth2 is an authorization framework  where it has a general procedures and setups defined by the framework  JWT can be used as a mechanism inside OAuth2   You can read more on this here  OAuth or JWT  Which one to use and why

User · Answer

Firstly  we have to differentiate JWT and OAuth  Basically  JWT is a token format  OAuth is an authorization protocol that can use JWT as a token  OAuth uses server-side and client-side storage  If you want to do real logout you must go with OAuth2  Authentication with JWT token can not logout actually  Because you don t have an Authentication Server that keeps track of tokens  If you want to provide an API to 3rd party clients  you must use OAuth2 also  OAuth2 is very flexible  JWT implementation is very easy and does not take long to implement  If your application needs this sort of flexibility  you should go with OAuth2  But if you don t need this use-case scenario  implementing OAuth2 is a waste of time   XSRF token is always sent to the client in every response header  It does not matter if a CSRF token is sent in a JWT token or not  because the CSRF token is secured with itself  Therefore sending CSRF token in JWT is unnecessary

User · Answer

OAuth 2 0 defines a protocol  i e  specifies how tokens are transferred  JWT defines a token format   OAuth 2 0 and  JWT authentication  have similar appearance when it comes to the  2nd  stage where the Client presents the token to the Resource Server  the token is passed in a header    But  JWT authentication  is not a standard and does not specify how the Client obtains the token in the first place  the 1st stage   That is where the perceived complexity of OAuth comes from  it also defines various ways in which the Client can obtain an access token from something that is called an Authorization Server    So the real difference is that JWT is just a token format  OAuth 2 0 is a protocol  that may use a JWT as a token format

[authentication] What are the main differences between JWT and OAuth authentication?

Examples related to authentication

Examples related to oauth

Examples related to oauth-2.0

Examples related to jwt