dJCg61Rq

· 6 years ago · Oct 05, 2019, 10:52 AM
1## What is JWT?
2JWT stands for JSON Web Token. JWT is a short-lived token issued by server for clients to authenticate themselves 
3without having to maintain an active session. JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact 
4and self-contained way for securely transmitting information between parties as a JSON object. This information can be 
5verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a
6public/private key pair using RSA or ECDSA.
7
8Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from 
9other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party 
10holding the private key is the one that signed it.
11
12### JWT versus API key
13API key is usually generated and that’s it! It usually doesn’t expire unless such mechanism is implemented on server side. 
14By using API key, each request to server will include a header with the key. API key creates security issue if such key 
15are exposed to unauthorized user (i.e: captured in man-in-the-middle attack). It could be used by unauthorized party to 
16perform legit request.
17
18Unlike API token, JWT has an expiry timestamp, it has to be constantly renewed or refreshed to keep the token valid.
19If such token is exposed to third party, he/she might not be able to refresh the token and it will be invalidated after
20it’s expiring timestamp.
21
22### JWT versus Cookie-based sessions
23To keep track of all user sessions, server has to maintain a record of those. In Django, user sessions are stored and 
24maintained in it’s underlying DB. This constraints scalability of the system, even if system are distributed and scaled 
25horizontally, each node will still have to retrieve the session data stored in underlying database. Second, it is even 
26more complex to make your session universal across multiple domains.
27
28JWT can save you a lot of fuss when dealing with authentication across multiple domain and horizontal scalability since 
29there is no need to keep session stored.