What's the difference between JWTs and Bearer Token?
问题
I'm learning something about Authorization like Basic, Digest, OAuth2.0, JWTs, and Bearer Token.
Now I have a question.
You know the JWTs is being used as an Access_Token in the OAuth2.0 standard. JWTs appears at RFC 7519, and Bearer Token is at RFC 6750 .
For example, the Bearer:
Authorization: Bearer <token>
I used to send token to server by AJAX or add token to the query string of the url. I know that a token can also be sent by adding it to a request header. Does that mean that token should be added to Authorization Bearer header?
Could you please tell me the relationship between JWTs and Bearer Token? Thanks a lot.
回答1
Short answer
JWTs are a convenient way to encode and verify claims.
A Bearer token is just string, potentially arbitrary, that is used for authorization.
Context (story time)
A few years ago, before the JWT revolution, a <token> was just a string with no intrinsic meaning, e.g. 2pWS6RQmdZpE0TQ93X. That token was then looked-up in a database, which held the claims for that token. The downside of this approach is that DB access (or a cache) is required everytime the token is used.
JWTs encode and verify (via signing) their own claims. This allows folks to issue short-lived JWTs that are stateless (read: self-contained, don't depend on anybody else). They do not need to hit the DB. This reduces DB load and simplifies application architecture because only the service that issues the JWTs needs to worry about hitting the DB/persistence layer (the refresh_token you've probably come across).
回答2
JWT is an encoding standard for tokens that contains a JSON data payload that can be signed and encrypted.
JWT can be used for many things, among those are bearer tokens, i.e. a piece of information that you can present to some service that by virtue of you having it (you being the "bearer") grants you access to something.
Bearer tokens can be included in an HTTP request in different ways, one of them (probably the preferred one) being the Authorization header. But you could also put it into a request parameter, a cookie or the request body. That is mostly between you and the server you are trying to access.
JSON Web Token vs Bearer Token in Web Api
问题
I'm using Asp.Net Web Api
I'm confused. I already use JSON web token. I understood that. Knowns classic JSON web token. Header, payload, signature, Self-contained. The client can see claims data.
But Bearer Token is what? Bearer Token is self-contained too. We can be accessing token's data through Bearer Token. The client can not see claims data.
Then why don't we use Bearer Token? Is not Bearer Token a standard? Is there something like JWT Bearer Token?
And, How to can I generate custom Bearer Token in ASP.NET MVC Web API?
回答
JWT is a format which contains the user information in an encrypted JSON format.
But Bearer Token is what?
Bearer token means that when a party presents a bearer token, it is then allowed access to the resource. We don't validate the requesting party. Having the bearer token is enough.
Is there something like JWT Bearer Token?
JWT Tokens can also server as bearer tokens. Ex In Azure AD authentication using oAuth protocol.
Then why don't we use Bearer Token?
You don't use bearer token when you don't want to blindly trust the party where bearer tokens are coming. In that case you want to verify the requesting party as well. In that case you might want to use the SAML tokens. SAML stands for Security Assertion Markup Language. It is an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP).
How to can I generate custom Bearer Token in ASP.NET MVC Web API?
Generation of a token is the work of an Identity provider. Where i work, the flow is like - Azure AD generates a bearer token in JWT format. The token is then sent to the Azure ad protected resource which then allows access.
I hope i have answered your doubts. Kindly let me know if you have any more doubts or issues. I would be more than happy if someone can point out any mistakes (if any) in the answer.