Hi folks!
I've been using passport with express sessions for user authentication for a while. Now I wanna try authentication with JWT (JSON Web Token). JWT authentication with email and password seems pretty simple. But I think it gets a little complicated when JWT is used with OAuth. I just wanna ask that:
- Is it a popular practice to use JWT for OAuth?
- Which method is better, JWT or session based authentication? And please provide a link to a simple guide to use JWT for OAuth if you think JWT for OAuth is a better choice.
Thanks
Top comments (2)
The problem with JWT's is that they can't (easily) be revoked.
They're a signed signature, they don't have any feature to revoke them, nor would it be possible.
Furthermore, JWTs are easily decrypted. They're not an encrypted token, instead of a hash that can only be verified as being signed by the key/certificate. With that in mind, storing anything sensitive within a JWT is asking for trouble.
That being said, there are ways around that issue.
For example, wrapping a session/OAuth access token with a JWT token. Store, for example, the user id, application id and refresh token/identifier within the JWT's claims. Then when validating, you can remove any that are invalid JWTs (which will save database queries), and then just ensure the refresh hasn't been revoked every time. You can do a similar thing with sessions.
Little nitpick - JWTs aren't made to be encrypted. There's a separate spec for JWT encryption.