ASP.NET Identity Bearer Token vs JWT Pros and Cons -
i have used asp.net identity while , have been looking @ jwt (json web token) seem interesting , easy use.
jwt.io has great example/tool of debugging token.
however, i'm not entirely sure how jwt's work on end, still use identity?
also how tokens (bearer vs jwt) compare? more secure?
jwts ticket attraction. contains security information server needs embedded in it. once server has handed out client needs present whenever asks , server responds accordingly if it's valid.
the contents entirely viewable, they're signed using secret key server can tell if they've been tampered with.
since in jwt, , client can present whomever want, can use single sign on long different servers share same secret can verify signature.
like ticket, jwt has expiry date. long hasn't expired, it's valid. means can't revoke them before that. reason jwts have short expiry times (30 mins or so) , client issued refresh token in order renew jwt when expires.
jwts
- not stored on server
- great sso
- can't revoked prematurely
bearer tokens guest list. server puts client on guest list, provides pass code identify when when wants something. when client provides code, server looks on list , checks it's allowed whatever it's asking.
the server has have list available if want share access across servers, either need able access list (database), or talk authority has (auth server).
on other hand, since have guest list, can take off whenever want.
bearer tokens
- stored on server
- can revoked @ time
- requires central authority or shared database share token across servers
bit of tech has excellent tutorials on implementing jwts web api if want go down route.
Comments
Post a Comment