which authentication is best to use and secure?
61 views
Skip to first unread message
nathaniel suarez
Dec 30, 2019, 11:33:34 PM12/30/19
to Django REST framework
which authentication is best to use and secure? sessions, tokens, oauth or jwt
Kal Sze
Dec 30, 2019, 11:56:00 PM12/30/19
to django-res...@googlegroups.com
HI Nathaniel,
Let's make one thing clear first:
OAuth is for authorization, not for authentication. OAuth 2.0 can form the basis of OpenID Connect, which in turn is for authentication. To understand the difference, read these pages:
- https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611
- https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc
Now that we have that out of the way, I'm going to give my 2 cents:
JWT is one type of token. Ultimately OpenID Connect also gives you a token.
So the question is really sessions vs tokens.
With sessions, your application has full control over the validity of the session. With tokens, you're supposed to trust the validity of the token for the validity period specified in the token.
With tokens, your client usually needs to attach the token in an Authorization header in the HTTP request.
With sessions, the session ID is usually stored in the cookie, and it's usually automatically sent with each HTTP request; no other data needs to be specifically attached or sent.
Tokens can get quite large, you don't want to be shuttling the token back and forth for every request.
One recommended practice is to use the token to exchange for a Django session, and then just keep using the session afterwards.
Best Regards,
Kal
On Tue, 31 Dec 2019 at 12:33, nathaniel suarez <nate.s...@gmail.com> wrote:
which authentication is best to use and secure? sessions, tokens, oauth or jwt
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/4b60f826-b069-42b9-95f8-9f5cc775b048%40googlegroups.com.
nathaniel suarez
Dec 31, 2019, 12:15:55 AM12/31/19
to Django REST framework
how would you do it that way?
would it be okay with react native also?
Reply all
Reply to author
Forward
0 new messages