JWT vs simple token authentication in REST API











up vote
0
down vote

favorite












I wanted to use JWT (to learn it) in django-rest-framework instead of the built-in TokenAuthentication so I added django-rest-framework-simplejwt. The later provides two JWT tokens: a short-lived access token and a long-lived refresh token. However, tokens remain valid even after




  1. user is deleted

  2. password changes

  3. permissions change


Blacklisting



I thought I'll blacklist the refresh token if necessary. Incoming refresh tokens would then need to be checked against a blacklist stored in the db (Horizontal scalability advantage lost?)



If admin deletes user X, how does he know what refresh token the user has so it can be blacklisted? Store all of that in the db too?



Use user_id?



The above JWT tokens include user_id by default. By checking user_id and the related permissions, I can deal with 1) and 3) above (although not 2). But this requires checking the db for every request.



Conclusion



The only advantage I can see in JWT now is that it can encode data, so the client might save a few requests. Seems very limited.



Built-in TokenAuthentication doesn't expire, but it seems better to extend TokenAuthentication and add expiration than use JWT to me right now. I am left confused why JWT is supposed to be industry best practice. Is it with different use cases in mind? But the requirement to invalidate tokens seems pertinent in any use case.



My Question



Any comments on what downside there is to using TokenAuthentication and why JWT is so big would be very welcome.










share|improve this question




























    up vote
    0
    down vote

    favorite












    I wanted to use JWT (to learn it) in django-rest-framework instead of the built-in TokenAuthentication so I added django-rest-framework-simplejwt. The later provides two JWT tokens: a short-lived access token and a long-lived refresh token. However, tokens remain valid even after




    1. user is deleted

    2. password changes

    3. permissions change


    Blacklisting



    I thought I'll blacklist the refresh token if necessary. Incoming refresh tokens would then need to be checked against a blacklist stored in the db (Horizontal scalability advantage lost?)



    If admin deletes user X, how does he know what refresh token the user has so it can be blacklisted? Store all of that in the db too?



    Use user_id?



    The above JWT tokens include user_id by default. By checking user_id and the related permissions, I can deal with 1) and 3) above (although not 2). But this requires checking the db for every request.



    Conclusion



    The only advantage I can see in JWT now is that it can encode data, so the client might save a few requests. Seems very limited.



    Built-in TokenAuthentication doesn't expire, but it seems better to extend TokenAuthentication and add expiration than use JWT to me right now. I am left confused why JWT is supposed to be industry best practice. Is it with different use cases in mind? But the requirement to invalidate tokens seems pertinent in any use case.



    My Question



    Any comments on what downside there is to using TokenAuthentication and why JWT is so big would be very welcome.










    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I wanted to use JWT (to learn it) in django-rest-framework instead of the built-in TokenAuthentication so I added django-rest-framework-simplejwt. The later provides two JWT tokens: a short-lived access token and a long-lived refresh token. However, tokens remain valid even after




      1. user is deleted

      2. password changes

      3. permissions change


      Blacklisting



      I thought I'll blacklist the refresh token if necessary. Incoming refresh tokens would then need to be checked against a blacklist stored in the db (Horizontal scalability advantage lost?)



      If admin deletes user X, how does he know what refresh token the user has so it can be blacklisted? Store all of that in the db too?



      Use user_id?



      The above JWT tokens include user_id by default. By checking user_id and the related permissions, I can deal with 1) and 3) above (although not 2). But this requires checking the db for every request.



      Conclusion



      The only advantage I can see in JWT now is that it can encode data, so the client might save a few requests. Seems very limited.



      Built-in TokenAuthentication doesn't expire, but it seems better to extend TokenAuthentication and add expiration than use JWT to me right now. I am left confused why JWT is supposed to be industry best practice. Is it with different use cases in mind? But the requirement to invalidate tokens seems pertinent in any use case.



      My Question



      Any comments on what downside there is to using TokenAuthentication and why JWT is so big would be very welcome.










      share|improve this question















      I wanted to use JWT (to learn it) in django-rest-framework instead of the built-in TokenAuthentication so I added django-rest-framework-simplejwt. The later provides two JWT tokens: a short-lived access token and a long-lived refresh token. However, tokens remain valid even after




      1. user is deleted

      2. password changes

      3. permissions change


      Blacklisting



      I thought I'll blacklist the refresh token if necessary. Incoming refresh tokens would then need to be checked against a blacklist stored in the db (Horizontal scalability advantage lost?)



      If admin deletes user X, how does he know what refresh token the user has so it can be blacklisted? Store all of that in the db too?



      Use user_id?



      The above JWT tokens include user_id by default. By checking user_id and the related permissions, I can deal with 1) and 3) above (although not 2). But this requires checking the db for every request.



      Conclusion



      The only advantage I can see in JWT now is that it can encode data, so the client might save a few requests. Seems very limited.



      Built-in TokenAuthentication doesn't expire, but it seems better to extend TokenAuthentication and add expiration than use JWT to me right now. I am left confused why JWT is supposed to be industry best practice. Is it with different use cases in mind? But the requirement to invalidate tokens seems pertinent in any use case.



      My Question



      Any comments on what downside there is to using TokenAuthentication and why JWT is so big would be very welcome.







      authentication jwt






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited yesterday

























      asked yesterday









      M3RS

      1324




      1324



























          active

          oldest

          votes











          Your Answer





          StackExchange.ifUsing("editor", function () {
          return StackExchange.using("mathjaxEditing", function () {
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
          });
          });
          }, "mathjax-editing");

          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "196"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f209164%2fjwt-vs-simple-token-authentication-in-rest-api%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Code Review Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f209164%2fjwt-vs-simple-token-authentication-in-rest-api%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Ellipse (mathématiques)

          Quarter-circle Tiles

          Mont Emei