Comparing JWT and OAuth is like we are comparing apple and apple cart. JWT is an authentication protocol whereas OAuth is an authentication framework. It is possible to have an OAuth implementation that issues JWT as an authentication mechanism. Before getting into more details let’s first understand individually, what is JWT and OAuth.
What is OAuth?
OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This means it is a strict protocol for the issuing and validating of signed access tokens by providing limited access to a web service. Just remember OAuth only works using HTTPS.
How OAuth works
Let’s assume a user has already signed into one website or service. The user then initiates a feature that needs to access another site or service. The following happens
- The first website connects to the second website on behalf of the user, using OAuth, providing the user’s verified identity like client id, secret key etc.
- The second site generates a one-time token and a one-time secret unique to the transaction and parties involved.
- The first site gives this token and secret to the initiating user’s client software.
- The client’s software presents the request token and secret to their authorization provider (which may or may not be the second site).
- If not already authenticated to the authorization provider, the client may be asked to authenticate. After authentication, the client is asked to approve the authorization transaction to the second website.
- The user approves a particular transaction type at the first website.
- The user is given an approved access token.
- The user gives the approved access token to the first website.
- The first website gives the access token to the second website as proof of authentication on behalf of the user.
- The second website lets the first website access their site on behalf of the user.