Bill Thompson
Bill Thompson

Reputation: 3

JSON Web Tokens & OAuth

I am just starting out learning about authentication and authorization and I trying to understand JWT and OAuth for REST APIs.

I have been doing some research but a few points are still unclear:

JWT

OAuth

Upvotes: 0

Views: 171

Answers (1)

pedrofb
pedrofb

Reputation: 39291

Does the token contain ALL information to verify that the request is safe?

The third part of a JWT like this hhhhh.ppppp.sssss is a digital signature performed with server private key over the header and payload of the token. Any alteration of the header, the payload or the signature will be detected by the server and reject the token

In other words, when generating the token on the server, do I need to save it along with a user name / id in a database to verify against with each subsequent call that is made to the API?

No, because the digital signature protects the content. You can safely trust in any data found in the token

Is JWT over HTTP safe enough, or is HTTPS required?

A JWT may contain privacy-sensitive information and, to prevent disclosure of such information to unintended parties, should only be transmitted over encrypted channels (https). In cases where it is desirable to prevent disclosure of certain information to the client, the JWT should be encrypted.

[OAuth] In other words, I am completely outsourcing the authentication, removing the need for me to store user names and passwords somewhere. Is that correct?

Yes, you are right, OAuth allows users to authorize third party applications without exposing their credentials

Upvotes: 1

Related Questions