I am building a real world application where users will access the app primarily from Android, iOS devices as well as Desktops.
From my elementary research, I have realized that token based authentication mechanism is more better and elegant for client-server models as compared to session based authentication.
In Django, I have found two popular ways to do this -
- http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
- http://getblimp.github.io/django-rest-framework-jwt/
From what I understood, option 2] is an extension of 1] except that the Token is in the form of JSON(serialized). I would like to understand what other differences there are between option 1] and 2] and the advantages/disadvantages of choosing either.
They both carrying out similar tasks with few differences.
Token
DRF's builtin Token Authentication
- One Token for all sessions
- No time stamp on the token
DRF JWT Token Authentication
- One Token per session
- Expiry timestamp on each token
Database access
DRF's builtin Token Authentication
- Database access to fetch the user associated with the token
- Verify user's status
- Authenticate the user
DRF JWT Token Authentication
- Decode token (get payload)
- Verify token timestamp (expiry)
- Database access to fetch user associated with the id in the payload
- Verify user's status
- Authenticate the user
Pros
DRF's builtin Token Authentication
- Allows forced-logout by replacing the token in the database (ex: password change)
DRF JWT Token Authentication
- Token with an expiration time
- No database hit unless the token is valid
Cons
DRF's builtin Token Authentication
- Database hit on all requests
- Single token for all sessions
DRF JWT Token Authentication
- Unable to recall the token without tracking it in the database
- Once the token is issued, anyone with the token can make requests
- Specs are open to interpretations, no consensus on how to do refresh