OAuth and JWT for Authorization
I. What is JWT
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Source: https://jwt.io/introduction
JSON Web Tokens consist of three parts separated by dots: Header.Payload.Signature. Each part is a JSON which is Base64Url encoded. The Signature part has a secret key which is, ofcourse should be kept a secret, otherwise, anyone can decode the token.
II. What is Oauth
OAuth (Open Authorization) is a specification that allows users to delegate access to their data without sharing their username and password with that service.
Source: https://auth0.com/blog
In other words, OAuth is an open-standard authorization protocol that allows third-party applications to access user data from a service provider without sharing passwords.
III. What’s the difference
The main difference is how it works, or how it’s implemented.
As you can see from above flow:
- JWT is a self-contained way to transmit information between parties as a JSON object. It is often used to securely transmit information between an API and a client application, or a server and a client application. It allows access to user data and files. JWT is suitable for stateless applications, as it allows the application to authenticate users and authorize access to resources without maintaining a session state on the server.
- While OAuth uses a unique token to grant access to the user’s resources. It enables a user to grant a third-party application access to their resources on another site without sharing their username and password. That’s why you often see options to log in to an app with you Google, Facebook or Github account. OAuth provides a secure way for the user to give permission for the third-party application to access their resources without exposing their login credentials.
In conclusion, the main difference is
Have you ever got into a situation where you think you know something but not actually? I have seen and implemented both flows above but not until now did i know they have different names and are 2 different authorization protocol. Although it’s not a big deal, i’m glad that i finally made it clear. And, hopefully it’s clear for you too.
