I am still trying to find the best security solution for protecting REST API, because the amount of mobile applications and API is increasing every day.
I have tried different ways of authentication, but still has some misunderstandings, so I need advice of someone more experienced.
Let me tell, how I understand all this stuff. If I understand something incorrectly, please let me know.
As far as REST API is stateless as well as WEB in general, we need to send some auth data in each request(cookies, token….). I know three widely used mechanisms to authenticate user
-
Token with HTTPS. I have used this approach a lot of times it is good enough with HTTPS. If user provides correct password and login, he will receive token in response, and will use it for the further requests. Token is generated by the server and stored, for instance in the table separate or the same where user info is stored. So for each request server checks if user has token and it is the same as in the database. Everything is pretty straightforward.
-
JWT Token. This token is self-descriptive, it contains all necessary information about the token itself, user cannot change for example expiration date or any other claim, because this token is generated (signed) by the server with secret keyword. This is also clear. But one big problem, personally for me, how to invalidate token.
-
OAuth 2. I don't understand why this approach should be used when communication is established directly between server and client. As far as I understand, OAuth server is used to issue token with restricted scope to allow other applications access user information without storing password and login. This is great solution for the social networks, when user wants to sign up on some page, server can request permissions to get user info, for instance from twitter or facebook, and fill registration fields with user data and so on.
Consider mobile client for online store.
First question should I prefer JWT over first type token ? As far as I need login/logout user on mobile client, I need to store somewhere token or in case of JWT, token should be invalidated on logout. Different approaches are used to invalidate token one of the is to create invalid token list (black list). Hmm. Table/file will have much bigger size than if token was stored in table and associated with user, and just removed on logout.
So what are benefits of JWT token ?
Second question about OAuth , should I use it in case of direct communication with my server? What is the purpose of one more layer between client and server only to issue token, but communication will be not with oauth server but with the main server. As I understand OAuth server is responsible only for giving third-party apps permissions (tokens) to access user private information. But my mobile client application is not third-party.
Best Answer
Consider the first case. Each client gets a random ID that lasts for the duration of the session - which could be several days if you like. Then you store the information relevant to that session somewhere server side. It could be in a file or a database. Let's suppose you pass the ID via a cookie but you could use the URL or an HTTP header.
Session IDs/ Cookies
Pros:
Cons:
JSON Web Tokens (JWT)
In the second case the data is stored in a JWT that is passed around instead of on the server.
Pros:
Cons:
The server side needs code to generate, validate, and read JWTs. It's not hard but there is a bit of a learning curve and security depends on it.
Anyone who gets a copy of the signing key can create JWTs. You might not know when this happens.
There was (is?) a bug in some libraries that accepted any JWT signed with the "none" algorithm so anyone could create JWTs that the server would trust.
In order to revoke a JWT before it expires you need to use a revocation list. This gets you back to the server side storage issues you were trying to avoid.
OAuth
Often OAuth is used for authentication (i.e. identity) but it can be used to share other data like a list of content the user has purchased and is entitled to download. It can also be used to grant access to write to data stored by the third party. You might use OAuth to authenticate users and then use server side storage or JWT for the session data.
Pros:
Cons:
Miscellaneous