OAuth vs JWT Explained
Think of OAuth and JWT
as two different parts of a security ecosystem. They are often used together,
but they serve completely different purposes. One is a protocol (the
"how-to" manual), and the other is a token format (the
"ID card").
1. What is OAuth 2.0?
OAuth is an open-standard authorization
protocol. It allows a third-party application to access a user's data from
another service (like Google or Facebook) without the user giving away their
password.
- The Problem: You want a printing app to
access your Google Drive photos, but you don't want to give the printing
app your Google password.
- The Solution: OAuth provides a
"handshake" where Google gives the app a specific Access
Token that only works for photos and only for a limited time.
2. What is JWT?
JWT is a compact, URL-safe way of
representing claims to be transferred between two parties. It is a self-contained
token.
A JWT consists of three parts
separated by dots (.):
1.
Header: The
type of token and hashing algorithm.
2.
Payload: The
actual data (User ID, expiration time, etc.).
3.
Signature:
Used to verify that the sender is who they say they are and that the message
wasn't tampered with.
3. How They Work Together
In a modern web app, the relationship
usually looks like this:
1.
Authentication:
The user logs in via OAuth (e.g., "Login with Google").
2.
Issuance: Once
the handshake is complete, the server generates a JWT as the Access
Token.
3.
Authorization:
For every future request, the browser sends that JWT. The server looks
at the JWT, sees it's signed correctly, and grants access.