I would like to know, JWT or oAuth 1.0 is best approach for securing Rest services.We are planning to develop a Dojo based web application and JAX-RS rest based web-service.Could someone help me on this ?.
It will be really good if you can suggest some sample code for implementing the same in Java.
Thanks in Advance.
JWT and OAuth are the standards. JWT standards tell us how to create token which will be shared between server and client(browser or API) to maintain the states. Traditionally, we used jsession ID as token which is created by server and then send to client in cookies or as query in URL. That jession Id later submitted by client to repeatedly to server for each request. This is an identifier used by the server to lookup the session object present in sever memory.
Now a days JWT is an another approach to maintain sessions. Like session object hold user details, same manner JWT token contains user information in the token itself. Due to that we called JWT as value token as they contains the information itself. Whereas jsession Id is reference token because it is an reference to session object maintained by server.
JWT has advantages and disadvantages as well: Advantages : Best for cluster environment Disadvantages : Not meant to use when token contains secure information. As JWT are encoded so they can be attacked by malicious user over net. On the same time jsession id is just a reference whereas the actual data persisted in session object.
So based on your requirement what you want to kept in session select from the choices.
OAuth : This is the standard for authorization, here the client server required authorization of user data(resource owner) from authorization server. Basic example for OAuth 2 : Let say there is a online game application running on a server, the user accessed the application which starts loading into user's browser. Now that application asking grants from user to post data about games on his Facebook account. Here user authorize his that application to access his Facebook posts through OAuth Standard. Refer the internal mechanism https://tools.ietf.org/html/rfc6749
Basically, the security of an application address three major areas. 1. Authentication who are you? Can be done through open id or traditionally form login based approach 2. Authorization resources you are authorize to access? Can be achieved through Oauth 3. Integrity Constraint access my application over secure TLS layer (SSL/HTTPS)
Any web application must fulfill these concerns to become secure.
These are uncomparable things. OAuth is about SSO (single sign on) scenario for 3d party services, while JWT is only about authentication token format. At least OAuth is an above level standard. OAuth 1.0 requires a client side encryption which is not needed in its 2.0 version. JWT allows combining stateless REST services in one security realm which is a huge advantage if you REST API is split into several microservices.
