What is OAuth?
OAuth is an open standard for authentication. It grants secure designated access to client applications on behalf of specific resource owners.
It even permits end users to grant third party applications limited access to their server resources without having to share their credentials with the third party application.
As an example, you could use OAuth to let Canva.com access your Facebook profile without giving Canva.com your Facebook password. Now if Canva suffers a data breach, your Facebook password cannot be stolen by anyone with malicious intent.
OAuth is not an authentication protocol, it is an authorization protocol. It is used to allow an application to do something rather than to prove that you are the resource owner.
OAuth can be compared with a valet key for a luxury car. Unlike your regular key, the valet key imposes certain restrictions upon the way your valet driver uses your car. For example, it will only let the valet drive the car for a couple of miles, will not allow the valet to open the trunk, etc.
Similarly, OAuth allows you to give an application limited access to your resources.
How does OAuth work?
There are three parties involved in an OAuth transaction: the user (you), the service provider (Google, Facebook, etc.), and the consumer (the third party application).
This is how OAuth works:
First, the user displays intent towards the consumer. Then the consumer seeks permission from the service provider and receives a token & secret. When the consumer uses the secret, the service provider can validate that the request is truly coming from the consumer application.
After that, the consumer redirects the user to the service provider for authorization. When the user reaches the service provider, the service provider shows the user which permissions the consumer is requesting.
When the user authorizes the token, the service provider gives the consumer an access token and secret. The consumer is now able to access the protected resource.
What is the difference between OAuth 1.0 & OAuth 2.0?
OAuth 2.0 is much faster than OAuth 1.0. While OAuth 1.0 only had three flows, OAuth 2.0 supports six flows and enables signed secrets over HTTPS.
What are the benefits of OAuth 2.0?
The main advantage of OAuth is that it gives the consumer access to the resources without sharing the user’s actual credentials. Here are some of the other benefits of OAuth:
- It allows users to control their data more effectively. With OAuth 2.0, users can choose which functionalities they want to grant applications access to.
- With tokenization, it gives consumers limited access to the users’ data.
- Tokens can be revoked in case of suspicious activity.
- It uses SSL to ensure that data remains private between web servers and browsers.
What is difference between OAuth and JWT?
The most significant difference between OAuth and JWT (JSON Web Tokens) is that OAuth 2.0 defines a protocol, which means that it specifies the way in which tokens are transferred, while JWT, on the other hand, defines a token format. JWT tokens are JSON encoded data structures contains information about issuer, subject (claims), expiration time etc. They are signed for authenticity and to be tamper proof and it is possible for you to encrypt them to protect the token information using symmetric or asymmetric approach. JWT is simpler than SAML 1.1/2.0, is supported by all devices, and is is more powerful than SWT(Simple Web Token).
Put simply, JWT defines a compact and self-contained mechanism for transmitting data between parties in a manner that can be verified and trusted because it is digitally signed. The encoding rules of a JWT even make these tokens rather easy to use within the context of HTTP.
OAuth 2.0 and "JWT authentication" do appear similar when it comes to the (2nd) stage in which the Client presents the token to the Resource Server: the token is passed in a header.
However, JWT authentication is not a standard and it fails to specifiy the way in which the client obtains the token in the first place (during the 1st stage). The perceived complexity of OAuth comes from the fact that it even defines several different ways through which the Client can obtain an access token from something that is known as an Authorization Server.
Essentially, the main difference between OAuth and JWT is that JWT is just a token format, while OAuth 2.0 is a protocol (and it might use a JWT as a token format).
OAuth uses server-side and client-side storage. If you want to log out, you need to use OAuth 2.0. Authentication via JWT does not enable you to log out since you do not have an Authentication Server that keeps track of tokens.
If you do wish to provide an API to third party clients, you need to make use of OAuth 2.0. OAuth is also rather flexible, but it takes a lot of time to implement. If your application does not need the level of flexibility that OAuth offers, you might want to use JWT because its implementation is rather easy and does not take a lot of time. In such a situation, it could be a waste of time to implement OAuth.
In case you have very simple scenarios such as a single client application, a single API, then it mgiht not be very benefiicial to make use of OAuth 2.0. But if you do have multiple different clients (browser-based, native mobile, server-side, etc) then making use of OAuth 2.0 rules might make it more manageable than attempting to roll your own system.