OAuth or JWT? Which one to use and why?

JWT is a simple authentication protocol, Oauth is an authentication framework.

An experienced developer will take about a month to fully understand and implement Oauth. An experienced developer can pick up the JWT protocol in about a day of reading the specifications. So basically, it boils down to your specific use-case.

If you want simple stateless http authentication to an api, then JWT is just fine and relatively quick to implement, even for a novice developer.

A few JWT resources for you:

• http://jwt.io/
• https://auth0.com/docs
• http://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs

And an Oauth resource:

• http://tutorials.jenkov.com/oauth2/overview.html

JWT stands for JSON Web Token as the name suggest it is only a token for transferring secured data among two parties, that is client and server.

Oauth2 on other had is a set of rules or a procedure commonly called a framework that help to authenticate and authorize two parties to transfer secured data.

Following diagram will explain how oauth2 works

Here is a more detailed explanation of the steps in the diagram:

1. The application requests authorization to access service resources from the user
2. If the user authorized the request, the application receives an authorization grant
3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant
4. If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete.
5. The application requests the resource from the resource server (API) and presents the access token for authentication
6. If the access token is valid, the resource server (API) serves the resource to the application

Both these can be used together in transferring secure data.

Where JWT come into play in 3rd 6th steps of oauth2

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

OAuth 2.0 is protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification is being developed within the IETF OAuth WG.

- The OAuth We have different types of tokens.

1) WS-Security tokens, especially SAML tokens

2) JWT tokens

3) Legacy tokens

4) Custom tokens

The most important thing to understand when comparing JWT and OAuth2, is that they are not alike. Or even incompatible.

JWT is an authentication protocolThis means it is a strict set of instructions for the issuing and validating of signed access tokens. The tokens contain claims that are used by an app to limit access to a user.

**OAuth2 is an Authorization Framework **OAuth2 on the other hand is a framework, think very detailed guideline, for letting users and applications authorize specific permissions to other applications in both private and public settings.

Few good links:

• [1]: https://community.apigee.com/questions/21139/jwt-vs-oauth.html

• [2]: https://youtu.be/XGmUlyggXVo

• [3]: http://www.seedbox.com/en/blog/2015/06/05/oauth-2-vs-json-web-tokens-comment-securiser-un-api/