What is the difference between OAuth based and Token based authentication?

authentication oauth oauth-2.0 access-token jwt
37,517

Solution 1

This is a good question -- there is a lot of confusion around tokens and OAuth.

First up, when you mention OAuth, you are likely referring to the OAuth2 standard. This is the latest version of the OAuth protocol, and is what most people are specifically talking about when they say 'OAuth'.

The OAuth protocol supports several different types of authentication and authorization (4 to be precise).

Secondly, the OAuth protocol works by authenticating users via tokens. The idea here is this:

Instead of having your user send their actual credentials to your server on every single request (like they would with Basic Auth, where a user sends their username/password to the server for each request), with OAuth you first exchange your user credentials for a 'token', and then authenticate users based on this 'token'.

The idea of OAuth is that by requiring users to pass their confidential credentials over the network less frequently, less bad things can happen. (This is the idea, anyhow.)

Now, here's where tokens come into play: the OAuth spec is built around the concept of tokens, but DOES NOT SPECIFY WHAT A TOKEN IS.

In the most 'general' sense, a token is just a string that uniquely identifies a user. That's it.

People realized this, and developed a new standard for creating tokens, called the JSON Web Token standard. This standard basically provides a set of rules for creating tokens in a very specific way, which makes tokens more useful for you in general.

JWTs let you do things like:

  • Cryptographically sign a token so you know that a token wasn't tampered with by a user.
  • Encrypt tokens so the contents cannot be read in plain text.
  • Embed JSON data INSIDE of a token string in a standard way.

Now, for the most part: pretty much everyone in the development community has agreed that if you're using any sort of OAuth, then the tokens you're using should be JSON Web Tokens.

OK! Now that we've covered the backstory, let me answer your question.

The choice you're making above is whether or not you want to enable the full OAuth2 specification for authentication / authorization (which is quite complex), or whether you simply want some basic 'token authentication'.

Because the OAuth protocol provides multiple different ways to authenticate in a STANDARDS COMPLIANT way, it adds a lot of complexity to most authentication systems.

Because of this, a lot of frameworks offer a 'dumbed down' version of the OAuth2 Password Grant flow, which essentially is a simple method where:

  • A user sends their username/password to your server at some URL like /login.
  • Your server generates a JWT token for the user.
  • Your server returns that token to the user.
  • The user stores this token in their cookies, mobile device, or possible API server, where they use it to make requests.

Again: the flow above is NOT OAuth compliant, but is a slightly simpler version that STILL uses tokens.

The main point here is that tokens (JWTs) are generally useful, and don't NEED to be paired with the OAuth flow.

I realize this is a wall of text, but hopefully it answers your question in more depth =)

Solution 2

OAuth is a specification for authorization not authentication

OAuth 2.0 is a specification for authorization, but NOT for authentication. RFC 6749, 3.1. Authorization Endpoint explicitly says as follows:

The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g., username and password login, session cookies) is beyond the scope of this specification.

Only use OAuth if you want to give access to a third party service to your apis. Even when you are using OAuth you would need some kind of authentication (token based or session based etc) to authenticate the uses. OAuth is not designed for authentication.

see this question.

Solution 3

When you are requesting resource from a secured web service, you can provide an authentication token on the call. The token acts as "secret code" for accessing the resource.

OAuth is just specific type of token based authentication method.

Share:
37,517
Cemre Mengü
Author by

Cemre Mengü

I try and catch

Updated on November 20, 2020

Comments

  • Cemre Mengü
    Cemre Mengü over 3 years

    I thought that OAuth is basically a token based authentication specification but most of the time frameworks act as if there is a difference between them. For example, as shown in the picture below Jhipster asks whether to use an OAuth based or a token based authentication.

    Aren't these the same thing ? What exactly is the difference since both includes tokens in their implementations ?

    enter image description here

  • Spomky-Labs
    Spomky-Labs over 7 years
    Good answer, but it should be mentionned that OAuth2 itself cannot be used to authenticate users (the client knows nothing about the user unless an API endpoint is available). OpenID Connect must be implemented to perform authentication based on OAuth2
  • rdegges
    rdegges over 7 years
    This is correct. I didn't elaborate on that because I didn't want to overly confuse the OP. But you are 100% correct.
  • hattenn
    hattenn about 7 years
    @rdegges, could you explain why the simple flow you explained is not OAuth compliant? What would you need to add to it to make it OAuth compliant?
  • RayLoveless
    RayLoveless about 7 years
    @hattenn here's an artical (oauth.net/articles/authentication) that provides some details on why it's not oAuth compliant:
  • David
    David about 7 years
    @RayLoveless I read that article but I'm still not sure exactly why the above bullet point isn't OAuth2 compliant for the Password grant flow. Could you elaborate?
  • rdegges
    rdegges over 6 years
    @skaterdav85 it's because OAuth specifies a URL that needs to serve the request (/oauth/token), as well as specific query params and body params for the field names. It's very specific.
  • Nithin
    Nithin over 5 years
    This answer is misleading. Oauth is not an authentication framework, it is an authorization framework.
  • rdegges
    rdegges over 5 years
    I've already addressed this above @nithin -- I purposefully called it that to simplify the understanding for readers.
  • Mikz
    Mikz over 5 years
    @rdegges OAuth does not send the password to the server. It asks the user for authenticating their basic information from another server. Eg: spotify uses Facebook API to access your user name and Profile picture. In this case, spotify sends an authorization request and in parallel you grant permission to the same, then the authorization is granted and sent to spotify, and receives an token , that allows you to access only the username and profile picture in this case. Now Spotify receives only username and profile picture from FB and is displayed in the UI
  • rdegges
    rdegges over 5 years
    @Mikz you are incorrect. It depends on what type of OAuth you are using. There are different grant types, and they are used in different ways. Because of the question that OP asked, i included details about the client credentials grant type which is what his question was referring to. There are obviously other modes as well, but all of them involve credentials at the IDP.
  • Mikz
    Mikz over 5 years
    @rdegges Thank you for the clarification. I was following an tutorial and came across that statement. Sorry, if it was confusing
  • Klyuch
    Klyuch almost 3 years
    Cool explanation in one place, thanks! I have all these thoughts in a mess but now I see it in order.
  • fkotsian
    fkotsian almost 2 years
    This. This. A thousand times this. 🙏 🙏

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OAuth Refresh Token Best Practice
Is a Refresh Token really necessary when using JWT token authentication?
What are the main differences between JWT and OAuth authentication?
May an OAuth 2.0 access token be a JWT?
How do I use access token from discord oauth2 login to get user information
Facebook Access Tokens - Server-Side Authentication
Could not deserialize key data on decoding JWT python
JSON Web Token expiration
What is OAuth and how does it secure REST API calls?
OAuth2: What is the difference between the JWT Authorization Grant and Client Credentials Grant with JWT client authentication?