Advantage of JWT as OAuth Access Token Vs OAuth Default Token
In this article, will see the benefits of using JWT as OAuth Access Token over OAuth Default Access Token. We will use Password Grant Type Example to show the benefit of using JWT.
Token-based authentication allows users to validate their identity, and in return user receive a unique access token to access resource. Once the user is logs out from the app, the token is invalidated. It is considered to be secured way of authentication.
Spring Boot Security - OAuth 2 Tutorial :
What is OAuth?
OAuth (Open Authorization) is an open standard for token-based authentication and authorization. OAuth, allows third-party services, such as Facebook, to use account information from an end-user without exposing the user's password.
What is JWT (JSON Web Token)
JSON Web Token (JWT) is an open standard (RFC 7519) that specifies a compact and self-contained way of transmitting information securely as a JSON object between parties. This information can be verified and trusted as it has been digitally signed. It can also hold all the user's claim, like authorization information, so that the service provider does not need to access the database to validate user roles and permissions for each request; data is extracted from the token.
What is Password Grant Type?
The Password grant type is a way to exchange a user's username and password for an access token. Since the client application has to collect the user's password and send it to the authorization server.
Password Grant Type Flow using Default OAuth2 Access Token
The flow shown in above Figure includes the following steps:
- The resource owner provides the client application with it's username and password.
- The Client Application requests an access token from the Authorization Server by passing credentials received from the resource owner.
- The Authorization Server authenticates the client by validating the resource owner credentials. Once Validation is successful and if request is valid, it sends an access token.
- Client sends the received access token to Resource Server to access the resource end point.
Resource Server validates the access token by calling Authorization Server.
- If the token is valid, resource server return the requested resource to Client.
Advantages of JWT Access Token
If you observe the above flow in 5th step, whenever we request or call Resource/Rest API, we need to call Authorization Server to validate whether provided Access Token is valid or not. However, if we use JWT access token as OAuth token, Resource will not have to call Authorization Server each time to validate the Access Token. Because JWT itself has authentication information, expire time information, and other user defined claims which is digitally signed.
So as JWT itself contains all information, so we don't have to go to Authorization server to get the user's information to verify whether user is valid or not.
- Good Performance: As shown above in diagram no need to call Authorization Server for validating or checking the access token, which will reduce the network call.
- Portable: Allow to use multiple backends with single access token.
- JWT contains expiration date as a claim that can be used to determine when the access token is going to expire.
- It's very secure way to validate the user information, as it's digitally signed.