Reputation: 712
Asp Web API. JWT Authentication vs username / password Authentication
Sorry for such novice question.
I am fairly new to web security.
Can someone please explain to me, why do we need JWT token authentication for web api (REST) when I could include { username | email } / password for every single API request?
Upvotes: 2
Views: 2283
Answers (1)
Reputation: 239200
Mostly, it's a separation of concerns thing. JWTs are a way to authorize a request, whereas username/password is a way to authenticate. The key difference is that authentication is something you should ideally only have to do once, and it should be done by a dedicated endpoint responsible for that. For every other request, you're simply confirming the authorization you received from that initial authentication.
If you were to send username and password with every request, every endpoint then would have to handle authentication logic, which would be a nightmare. Using a JWT, the endpoint can simply verify that it's valid and move on to what it's actually responsible for.
JWTs are just one method of authorization. In a traditional website-style application, this would be handled by a cookie. This then enables the user to login once, and then proceed to browse protected areas of the site without having to login again. The equivalent of what you're suggesting would be essentially like forcing the user to login again everytime they clicked a link, just to view that next page.
Upvotes: 6
Related Questions
- Web API Authentication Basic vs Bearer
- .NET Core MVC and Web API two authentication schemes
- ASP.NET Identity Bearer Token vs JWT Pros and Cons
- Using JWT to implement Authentication on Asp.net web API
- Web site Authentication against Web API
- Jwt token vs access token
- ASP .NET Core Identity default authentication vs JWT authentication
- Web API Token authentication vs Custom token authentication
- asp.net webapi UseOAuthBearerAuthentication vs UseJwtBearerAuthentication
- Basic authentication vs token authentication