Reputation: 327
Token Based Authentication advantages?
In token-based-authentication, some information is encoded into a token and that token is sent to the client (usually as an http-only cookie). The client responds with the same token, and the token is decoded to the server to verify that the client is who they say they are.
I have a couple of questions that I can't google the answers to, so was hoping to get some coherent help :)
Is there anything in the token that ties it to the specific client? i.e. if Alice copies Bob's token then can Alice send authenticated requests to the server?
Given that, is the token actually providing anything that can't be provided with a random token stored on the server database? i.e. my server generates a random UUID, stores a hash of it in a cache with Alice's data, sends it to the client. Client responds with the same token, server looks it up in the cache and gets the credentials.
In other words, is JWT just an expensive way of generating a UUID? (I'm assuming you can't encode all the client data you want into the token and will have to do a database/cache lookup on the server end even with a token).
Upvotes: 2
Views: 3414
Answers (1)
Reputation: 23436
Yes, a JWT token typically has a number of claims. The Subject claim would typically identify the user that was authenticated. If Alice copies Bob's token, she can use the API/application as if she were Bob. That's why it is important to use https to prevent bearer tokens from being stolen.
'iss' => Issuer of the token (Authority)
'sub' => Subject identifying the principal, typically the authenticated user
'aud' => Audience, the application trying to use the token
'exp' => Expiration, until when the token is valid.
See here for more info on the JWT token used in OAuth 2.0.
The thing that security tokens have over session tokens as you describe is that they can be validated without having to go back to the issuer (or central database). The issuer signs the token with its private key. The application is configured with the corresponding public key and can verify that the token was not compromised without going to the issuer.
Upvotes: 3
Related Questions
- Web API Authentication Basic vs Bearer
- JSON Web Token (JWT) benefits over a database session token
- JSON Web Token (JWT) advantages/disadvantages over Cookies
- JSON Web Token (JWT) : Authorization vs Authentication
- JWT advantages over simple randomly-generated tokens in database?
- Difference between Forms based authentication and Token based Authetication
- How is JSON Web Token more secure than cookie/session?
- Token-based authentication: Application vs Server
- JWT (Json web token) Vs Custom Token
- What's so different about token-based authentication?