Best IT Recipes

Should I use JWT or Basic Token authentication in the Django Rest Framework?

I am going to implement Token authentication in my API using the Django Rest Framework. But I'm not sure if I should use the base module to create tokens or use the JSON Web Token Standard (JWT) (using this djangorestframework-JWT package) The only link I found was in DRF docs:

Unlike the TokenAuthentication built-in scheme, JWT authentication does not need to use a database to verify the token.

Is there any other difference, advantages or disadvantages?

Note. The API will be accessible from the website (using angularjs) and using the mobile application.

+8
python rest django token jwt
Apr 03 '15 at 21:35
source share
2 answers

When looking at existing token authorization mechanisms, I would recommend using JWT tokens regardless of the platform. JWT badges contain all claims inside and can be successfully decoded on the client. This means that instead of just receiving an opaque token that does not provide information to the client, you can store claims in the token and decode it on the client to create your interface. JWT marks are stateless, so you don’t need to store or track them on the server side, which is useful if you scale to multiple servers. They are also safe because you keep a private signature on the server side, which allows you to make sure that any calls coming into your API use the valid token that was issued by your authorization API.

JWT badges work very well with Angular clients. Since they are JSON, you can decode them in your Angular client and even directly bind the elements of the ui client to your requirements (someone with an administrator’s request can see the administrator’s menu, and the user will never know without this request that the menu exists if implemented on the right )

In addition, the JWT token still behaves the same as any media token (issued by the auth api stored by the client, passed to the api resource in the authorization header), so there are actually no flaws in using it, which I can think of.

This way you will have less back and forth between the client and server, as well as less scaling if you use JWT tokens.

+10
Apr 03 '15 at 21:58
source share

JWT:

  • Any customer who has the opportunity to request things (similar to money when buying).
  • No access to the database after issuing - the built-in validity period dictates verification

JWT has an expiration date and until that time it will remain in force. This may be undesirable if you need to log the user to the reset password or force it.

To eliminate the above problems, a token-blacklist can be used. This will result in the re-implementation of persistent or inline tracking, which the JWT was trying to avoid in the first place. However, snooping will only be on selected keys, while Basic Token Auth snooping is done for all users.

JWT can be decrypted by anyone who has it. Therefore, you need to remember the information packed in the token. The main Auth token, on the other hand, is a simple hash that can be thought of as just a link to the user.

When using caching and other performance improvements, you may not need to worry about overhead, but the convenience and future flow check.

Fully controlling authentication, authorization, and invalidity is good, regardless of whether JWT + is using a blacklist or Basic Token Auth.

Therefore, the main authentication token may be better if the flow is configured to meet needs.

+2
Dec 07 '16 at 16:53
source share


More articles:


All Articles