JSON Web Tokens & OAuth

0
votes

I am just starting out learning about authentication and authorization and I trying to understand JWT and OAuth for REST APIs.

I have been doing some research but a few points are still unclear:

JWT

  • Does the token contain ALL information to verify that the request is safe? In other words, when generating the token on the server, do I need to save it along with a user name / id in a database to verify against with each subsequent call that is made to the API?
  • Is JWT over HTTP safe enough, or is HTTPS required?

OAuth

  • The way I understand it, I can delegate authorization to a 3rd party app (Facebook as an example) using OAuth. I receive a token back from the authentication call if the authentication is successful. I can then use this token to pass along with all calls to my API and because the token was issued by a trusted 3rd party app (Facebook). I can decode the token, verify that the token is secure and valid and then proceed with whatever it is I need to do in my API. In other words, I am completely outsourcing the authentication, removing the need for me to store user names and passwords somewhere. Is that correct?
1
oauthoauth-2.0jwt

1 Answers

1
votes

Does the token contain ALL information to verify that the request is safe?

The third part of a JWT like this hhhhh.ppppp.sssss is a digital signature performed with server private key over the header and payload of the token. Any alteration of the header, the payload or the signature will be detected by the server and reject the token

In other words, when generating the token on the server, do I need to save it along with a user name / id in a database to verify against with each subsequent call that is made to the API?

No, because the digital signature protects the content. You can safely trust in any data found in the token

Is JWT over HTTP safe enough, or is HTTPS required?

A JWT may contain privacy-sensitive information and, to prevent disclosure of such information to unintended parties, should only be transmitted over encrypted channels (https). In cases where it is desirable to prevent disclosure of certain information to the client, the JWT should be encrypted.

[OAuth] In other words, I am completely outsourcing the authentication, removing the need for me to store user names and passwords somewhere. Is that correct?

Yes, you are right, OAuth allows users to authorize third party applications without exposing their credentials