Why does JWT need to be sent as a Bearer Token header?
Asked Answered
A

1

5

I am adding JWT Auth for a completely new frontend to a legacy Rails backend.

Upon HTTP request, it seems most sources suggest I send the token back to the server via Bearer Header.

Why? What is the additional value of sending via header (bearer or basic). What can't I simply pass the JWT back to the server via .json and authenticate the token from there.

What benefit does an Authorization header give me, and moreso, what does a Bearer Authorization header give me?

I can of course simply follow everyone's example, but want to understand why. The bearer docs are verbose and hard to understand what I'm gaining over simple sending the JWT as part of the data in the request.

Thank you.

Arni answered 13/5, 2018 at 8:55 Comment(1)
It is better to keep auth and payload separate. What if you decide to do Kerberos, SAML, anything else later ?Whipstitch
S
6

You can technically send a json body on each request with the JTW but that would be non standard behaviour (for instance, GET requests should not have a body via the spec).

A more standard way would be to provide an Authorization HTTP header. The Authorization header is not specific to JWTs and its role is to specify an auth scheme between the client and the server. Another way would be to include the JWT inside a cookie but that would make the behaviour browser specific while the HTTP header can be sent by virtually any HTTP client.

P.S Bear in mind that contrary to Auth cookies which are sent by the browser automatically the Authorization header needs to be set by the client explicitly.

Sulfuric answered 13/5, 2018 at 9:32 Comment(1)
Very clarifying, thank you. I hadn't thought about (a) not sending json upon all requests and (b) the different behavior than cookies, which I would have inevitably bumped into. Much appreciated. -KobiArni

© 2022 - 2024 — McMap. All rights reserved.