Issue
I’m currently building a server side with node.js and express.js for the framework. For Login and authentication mechanism I’m using username and password with JWT.
This server is using to serve many client like ios, android, and web app.
So, should I use oauth for this non protocol auth or JWT is enough?
Solution
For starters, OAuth and JWT are different.
- OAuth is an authorization protocol, it specifies how tokens are transferred.
- JWT is an authentication token, it is an ‘object’ whose content is an encoded ‘structure’ filled with user data, issuer, expiration time, etcetera. It allows transmitting data between parties in a way that can be verified and trusted, as it is digitally signed. It also allows for stateless authentication, as the data that is required to communicate with the server is self-contained within that single token.
To answer your question, it all depends on your use-cases. If your application is only being used at a small-scale and you just need to use a stateless API, it is better to use JWT as it is much easier to implement, thus resulting in a quicker development time. If your application is used at large-scale, serving various sensitive data over various parties, I think it is better to use OAuth.
Both of them are secure, as shown in their RFC documents.
Keep in mind that using OAuth might result in a longer development time, as it is also harder to understand than just ordinary JWT. OAuth tokens also do not have to be JWT, as the default token format is undefined, but JWT is the one commonly used and it should work fine.
Further reading: