OAuth and JWT for Authorization

# OAuth and JWT for Authorization ### I. What is JWT > JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. > Source: https://jwt.io/introduction JSON Web Tokens consist of three parts separated by dots: `Header.Payload.Signature`. Each part is a JSON which is Base64Url encoded. The `Signature` part has a secret key which is, ofcourse should be kept a secret, otherwise, anyone can decode the token. ![](https://hackmd.io/_uploads/rkmA3HhKn.png) ### II. What is Oauth > OAuth (Open Authorization) is a specification that allows users to delegate access to their data without sharing their username and password with that service. > Source: https://auth0.com/blog In other words, OAuth is an open-standard authorization protocol that allows third-party applications to access user data from a service provider without sharing passwords. ### III. What's the difference The main difference is how it works, or how it's implemented. ![](https://hackmd.io/_uploads/SkVAC02F3.png) As you can see from above flow: JWT is a self-contained way to transmit information between parties as a JSON object. It is often used to securely transmit information between an API and a client application, or a server and a client application. It allows access to user data and files. JWT is suitable for stateless applications, as it allows the application to authenticate users and authorize access to resources without maintaining a session state on the server. While OAuth uses a unique token to grant access to the user’s resources. It enables a user to grant a third-party application access to their resources on another site without sharing their username and password. That's why you often see options to log in to an app with you Google, Facebook or Github account. OAuth provides a secure way for the user to give permission for the third-party application to access their resources without exposing their login credentials. In conclusion, the main difference is | Main comparisons| JWT | OAuth | | -------- | -------- | ------ | | Use case | User data is used for that 1 application only | All cases, especially when you want to make your user's data as a resource. Used for authorization to access resources on behalf of an owner | | Tokens | Defines token format | Defines authorization protocal | | Usability | Easier to implement | More complex | Have you ever got into a situation where you think you know something but not actually. I have seen and implemented both flows above but not until now did i know it has different names and are 2 different authorization protocol. Although it's not a big deal, i'm glad that i finally made it clear. And, hopefully it's clear for you too :woman-bowing: <small> Published date: 2023-07-13 <br/> Also published <a href="https://medium.com/goalist-blog/oauth-and-jwt-for-authorization-84188bb96ef5">here</a>. </small>