OAuth2 & JWT Authentication and Authorization protocols based on tokens 

@kikobeats say ‘hello’! 

BUT FIRST Basic concepts 

who are you Authentication anonymous user? registered user? admin user? 

what you are authorized to do Authorization 

ON THE OTHER HAND complementary concepts 

HTTP as REST protocol typical API design, but does it mean? 

REpresentational State Transfer RESTful is typically used to refer to web services implementing such an architecture. 

REST philosophy allows you to create compatible services with any device or client that supports HTTP protocol. 

REST typically uses JSON in data format 

The most important REST features are: ● Stateless ● Uniform ● Based on status codes ● Cacheable what is the mean of stateless? 

The client has the responsibility to identify the request. The petitions don’t have state. Why? Scalability. 

The cookies are used typically for storing and sharing the sessions. 

REST + Cookies 

The problem is that cookies have a lot of security and privacy problems: ● Hijacking ● Third-party cookies ● XSS attacks ● Cross-site request forgery (CSRF) 

A better approach Token-based Authentication JSON Web Tokens (JWT) 

JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded (base64) as a JSON object that is digitally signed using JSON Web Signature (JWS). At this moment there is a group working in creating a standard (draft 32). 

JWT.io Example 

REST + JWT 

Benefits of JWT approach: ● Mobile ready ● CORS ● Performance ● More control ● Definitely less security problems... 

The token must be stored somewhere. A good place would be in a free domain cookie. but DON’T send the cookie: sent the value inside the cookie! 

What about OAuth2? 

OAuth2 is an authorization architecture that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, Twitter, GitHub.... It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth2 provides authorization flows for web and desktop applications, and mobile devices without sharing their credentials. 

OAuth2 follows a token approach but in the authorization flow. 

No content

Is better JWT than Cookies approach? Probably is the same. If you have a cookies approach without securities problems and following good practices, you are in the right way. JWT is the natural evolution of cookies and fix some issues from the beginning. We are searching security and control. 

References ● JSON Web Token Standard Draft ● 10 Things You Should Know about Tokens – Auth0 ● Cookies vs Tokens. Getting auth right with Angular.JS – Auth0 ● Using JSON Web Tokens as API Keys – Auth0 ● JWT.io, a JWT playground