Difference between Session, JWT and OAuth Authentication đ¤ ?
what is the need of these different authentications ?
Why do we need all these different authentication whatâs the issue with the Normal Password based authentication ?
Letâs understand the limitations of the normal Password based authentication
- It is the most basic form of user authentication.
- You need to send the secret credentials with the header every time we make request to the server so suppose if a hacker getâs your credentials, it can be very vulnerable, which is not so in case of token based authentication because there we have a concept of expiry time.
3. We use HTTP protocol to fetch request which is stateless so suppose if somehow server restarts then all the users will have to authenticate themselves again.
To overcome the stateless nature of HTTP requests and other problems we could use either a session or a token.
Letâs try to understand the different authentications one by one.
Session Authentication
In the session based authentication, the server will create a session for the user after the user logs in. The session id is then stored on a cookie storage on the userâs browser. While the user stays logged in, the cookie would be sent along with every subsequent request. The server can then compare the session id stored on the cookie against the session information stored in the server to verify userâs identity and sends response as per received request.
Session tokens have an expiry time so therefore after that expiry time token wonât be valid therefore this authentications is less vulnerable.
Note: In the back end tokens are stored either in the cache or database therefore to verify weather a token is valid or not server needs to check if it exist in the cache or database.
Limitation:
- To verify token we need to perform database query which is costlier as compare to JWT.
- If the tokens are stored in cache and suppose we add a new server( Horizontal scaling ), so now cache becomes useless, which is the biggest limitation of session authentication.(To understand this you should know about load balancer and Horizontal Scaling).
JWT Authentication
JWT stands for Json Web Token
JWT token consist of three parts.
- Header
The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
{
"alg": "HS256",
"typ": "JWT"
}
Then, this JSON is Base64Url encoded to form the first part of the JWT.
2. Payload
The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional metadata.
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
The payload is then Base64Url encoded to form the second part of the JSON Web Token.
3. Signature
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
The signature is used to verify the message wasnât changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.
JWT looks like this as shown in the above image with three different parts as discussed above are separated by the dot.
JWT also have an expiry time so therefore after that expiry time token wonât be valid therefore this authentications is also less vulnerable.
If you want to play with JWT, click on this https://jwt.io/
Note: In JWT we donât store the tokens anywhere we simply use the secret key stored in the backe end to encrypt the JWT therefore all the limitations of session authentications are resolved using JWT.
Benefits:
- Because here we are not storing token in the cache therefore it wonât lead to any trouble while Horizontal scaling.
- Very much secure if we try to tamper any part of the token it will become invalid because signature is created using header and payload so if any part is changed the whole token becomes invalid because they are strongly interlinked.
OAuth Authentication
In simple word OAuth is basically using other services to authenticate your clients.
Suppose you have to login into a website but you donât trust it, then what would you do. If I am not wrong you would search for a button with âGOOGLEâ sign on it.
So thatâs the reason why we need OAuth authentication.
How does it work ?
Okay letâs try to understand this through a chat between two friends.
Jhabar : Bro, I am creating a website but I am afraid that whether people would use it or not ?
Bunny : what are you afraid of ?
Jhabar : To use the services provided by my website people would have to authenticate themselves and you know that most of the people donât prefer to give their credentials.
Bunny : Bro, why donât you use Ouath .
Jhabar : What ?
Bunny : I said Ouath.
Jhabar : I have no clue what you are taking about, would you please explain.
Bunny : Ok, Basically you can use Oauth service provided by google, facebook , github, etc to authenticate your users.
Jhabar : But how these third parties are able to do so.
Bunny : okay so when you will be creating your website you will have to use their Oauth apiâs for that you need to register your domain name and also give your information to them. then you will be able to use it in you back end plus when user will authenticate through Oauth basically they are giving permission to the service providers to give their non-secret information to your back end like their name, profile_pic, email, etc, so you would be able to use them in future.
Jhabar : Wow, thatâs a great concept. Iâd never knew this even though I have used this service a lot.
So I hope you understood the differences between these different types of authentication.đ