JWT vs simple token authentication in REST API
up vote
0
down vote
favorite
I wanted to use JWT (to learn it) in django-rest-framework
instead of the built-in TokenAuthentication
so I added django-rest-framework-simplejwt
. The later provides two JWT tokens: a short-lived access token
and a long-lived refresh token
. However, tokens remain valid even after
- user is deleted
- password changes
- permissions change
Blacklisting
I thought I'll blacklist the refresh token
if necessary. Incoming refresh tokens would then need to be checked against a blacklist stored in the db
(Horizontal scalability advantage lost?)
If admin deletes user X, how does he know what refresh token the user has so it can be blacklisted? Store all of that in the db
too?
Use user_id?
The above JWT tokens include user_id
by default. By checking user_id and the related permissions, I can deal with 1) and 3) above (although not 2). But this requires checking the db
for every request.
Conclusion
The only advantage I can see in JWT now is that it can encode data, so the client might save a few requests. Seems very limited.
Built-in TokenAuthentication
doesn't expire, but it seems better to extend TokenAuthentication
and add expiration than use JWT to me right now. I am left confused why JWT is supposed to be industry best practice. Is it with different use cases in mind? But the requirement to invalidate tokens seems pertinent in any use case.
My Question
Any comments on what downside there is to using TokenAuthentication
and why JWT is so big would be very welcome.
authentication jwt
add a comment |
up vote
0
down vote
favorite
I wanted to use JWT (to learn it) in django-rest-framework
instead of the built-in TokenAuthentication
so I added django-rest-framework-simplejwt
. The later provides two JWT tokens: a short-lived access token
and a long-lived refresh token
. However, tokens remain valid even after
- user is deleted
- password changes
- permissions change
Blacklisting
I thought I'll blacklist the refresh token
if necessary. Incoming refresh tokens would then need to be checked against a blacklist stored in the db
(Horizontal scalability advantage lost?)
If admin deletes user X, how does he know what refresh token the user has so it can be blacklisted? Store all of that in the db
too?
Use user_id?
The above JWT tokens include user_id
by default. By checking user_id and the related permissions, I can deal with 1) and 3) above (although not 2). But this requires checking the db
for every request.
Conclusion
The only advantage I can see in JWT now is that it can encode data, so the client might save a few requests. Seems very limited.
Built-in TokenAuthentication
doesn't expire, but it seems better to extend TokenAuthentication
and add expiration than use JWT to me right now. I am left confused why JWT is supposed to be industry best practice. Is it with different use cases in mind? But the requirement to invalidate tokens seems pertinent in any use case.
My Question
Any comments on what downside there is to using TokenAuthentication
and why JWT is so big would be very welcome.
authentication jwt
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I wanted to use JWT (to learn it) in django-rest-framework
instead of the built-in TokenAuthentication
so I added django-rest-framework-simplejwt
. The later provides two JWT tokens: a short-lived access token
and a long-lived refresh token
. However, tokens remain valid even after
- user is deleted
- password changes
- permissions change
Blacklisting
I thought I'll blacklist the refresh token
if necessary. Incoming refresh tokens would then need to be checked against a blacklist stored in the db
(Horizontal scalability advantage lost?)
If admin deletes user X, how does he know what refresh token the user has so it can be blacklisted? Store all of that in the db
too?
Use user_id?
The above JWT tokens include user_id
by default. By checking user_id and the related permissions, I can deal with 1) and 3) above (although not 2). But this requires checking the db
for every request.
Conclusion
The only advantage I can see in JWT now is that it can encode data, so the client might save a few requests. Seems very limited.
Built-in TokenAuthentication
doesn't expire, but it seems better to extend TokenAuthentication
and add expiration than use JWT to me right now. I am left confused why JWT is supposed to be industry best practice. Is it with different use cases in mind? But the requirement to invalidate tokens seems pertinent in any use case.
My Question
Any comments on what downside there is to using TokenAuthentication
and why JWT is so big would be very welcome.
authentication jwt
I wanted to use JWT (to learn it) in django-rest-framework
instead of the built-in TokenAuthentication
so I added django-rest-framework-simplejwt
. The later provides two JWT tokens: a short-lived access token
and a long-lived refresh token
. However, tokens remain valid even after
- user is deleted
- password changes
- permissions change
Blacklisting
I thought I'll blacklist the refresh token
if necessary. Incoming refresh tokens would then need to be checked against a blacklist stored in the db
(Horizontal scalability advantage lost?)
If admin deletes user X, how does he know what refresh token the user has so it can be blacklisted? Store all of that in the db
too?
Use user_id?
The above JWT tokens include user_id
by default. By checking user_id and the related permissions, I can deal with 1) and 3) above (although not 2). But this requires checking the db
for every request.
Conclusion
The only advantage I can see in JWT now is that it can encode data, so the client might save a few requests. Seems very limited.
Built-in TokenAuthentication
doesn't expire, but it seems better to extend TokenAuthentication
and add expiration than use JWT to me right now. I am left confused why JWT is supposed to be industry best practice. Is it with different use cases in mind? But the requirement to invalidate tokens seems pertinent in any use case.
My Question
Any comments on what downside there is to using TokenAuthentication
and why JWT is so big would be very welcome.
authentication jwt
authentication jwt
edited yesterday
asked yesterday
M3RS
1324
1324
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Code Review Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f209164%2fjwt-vs-simple-token-authentication-in-rest-api%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown