What Are The Main Differences Between JWT And OAuth ...
Có thể bạn quan tâm
TL;DR If you have very simple scenarios, like a single client application, a single API then it might not pay off to go OAuth 2.0. On the other hand, if there are lots of different clients (browser-based, native mobile, server-side, etc) then sticking to OAuth 2.0 rules might make it more manageable than trying to roll your own system.
As stated in another answer, JWT (Learn JSON Web Tokens) is just a token format. It defines a compact and self-contained mechanism for transmitting data between parties in a way that can be verified and trusted because it is digitally signed. Additionally, the encoding rules of a JWT also make these tokens very easy to use within the context of HTTP.
Being self-contained (the actual token contains information about a given subject), they are also a good choice for implementing stateless authentication mechanisms (aka Look mum, no sessions!). When going this route, the only thing a party must present to be granted access to a protected resource is the token itself, and the token in question can be called a bearer token.
In practice, what you're doing can already be classified as bearer token -based. However, do consider you're not using bearer tokens as specified by the OAuth 2.0 related specs (see RFC 6750). That would imply relying on the Authorization HTTP header and using the Bearer authentication scheme.
Regarding the use of the JWT to prevent CSRF: Without knowing exact details it's difficult to ascertain the validity of that practice. To be honest, it does not seem correct and/or worthwhile. The following article (Cookies vs Tokens: The Definitive Guide) may be a useful read on this subject, particularly the XSS and XSRF Protection section.
One final piece of advice. Even if you don't need to go full OAuth 2.0, I would strongly recommend on passing your access token within the Authorization header instead of going with custom headers. If they are really bearer tokens, follow the rules of RFC 6750. If not, you can always create a custom authentication scheme and still use that header.
Authorization headers are recognized and specially treated by HTTP proxies and servers. Thus, the usage of such headers for sending access tokens to resource servers reduces the likelihood of leakage or unintended storage of authenticated requests in general, and especially Authorization headers.
(source: RFC 6819, section 5.4.1)
Từ khóa » Jwt Và Oauth2
-
OAuth Và JWT: Đừng Hiểu Nhầm - Vantien's Blog
-
Tìm Hiểu Về Cơ Chế Xác Thực OAuth2 - Viblo
-
Thắc Mắc - Khi Nào Mới Thực Sự Cần Sử Dụng OAuth2? - Voz
-
How To Use JWT With OAuth | LoginRadius Blog
-
OAuth2 Vs JWT - What's The Difference (Explained)
-
JSON Web Tokens Vs Oauth 2.0 - Anil Kumar - Medium
-
OAuth 2.0 Là Gì? Tìm Hiểu Cơ Chế Và Cách Hoạt động đăng Nhập
-
Đi Sâu Vào OAuth2.0 Và JWT (Phần 1 Thiết Lập Sân Khấu) - HelpEx
-
OAuth2 With Password (and Hashing), Bearer With JWT Tokens
-
Xác Thực Người Dùng Với JWT Cho Web API - CodeLearn
-
Sử Dụng JWT Với Spring Security OAuth - 2KVN
-
Sự Khác Nhau Giữa OpenID Connect Và OAuth 2.0 | TopDev
-
Tìm Hiểu OAuth2 Với OpenID Connect