Login/Register
Django : DRF Token based Authentication VS JSON Web Token
Asked Answered
jsondjangorestdjango-rest-frameworktastypie
M

2

66

I am building a real world application where users will access the app primarily from Android, iOS devices as well as Desktops.

From my elementary research, I have realized that token based authentication mechanism is more better and elegant for client-server models as compared to session based authentication.

In Django, I have found two popular ways to do this -

  1. http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
  2. http://getblimp.github.io/django-rest-framework-jwt/

From what I understood, option 2] is an extension of 1] except that the Token is in the form of JSON(serialized). I would like to understand what other differences there are between option 1] and 2] and the advantages/disadvantages of choosing either.

Meandrous answered 24/7, 2015 at 0:57 Comment(3)
I have somewhat similar setup. What I have done is that for my app client Token authentication works but for my web client session authentication works. Not sure about what advantage JWT will provide ?Candelaria
possible duplicate of Appropriate choice of authentication class for python REST API used by web appDandruff
FWIW, django-rest-framework-simplejwt seems to be maintained while django-rest-framework-jwt is not.Troxler
I
125

They both carrying out similar tasks with few differences.

Token

DRF's builtin Token Authentication

  1. One Token for all sessions
  2. No time stamp on the token

DRF JWT Token Authentication

  1. One Token per session
  2. Expiry timestamp on each token

Database access

DRF's builtin Token Authentication

  1. Database access to fetch the user associated with the token
  2. Verify user's status
  3. Authenticate the user

DRF JWT Token Authentication

  1. Decode token (get payload)
  2. Verify token timestamp (expiry)
  3. Database access to fetch user associated with the id in the payload
  4. Verify user's status
  5. Authenticate the user

Pros

DRF's builtin Token Authentication

  1. Allows forced-logout by replacing the token in the database (ex: password change)

DRF JWT Token Authentication

  1. Token with an expiration time
  2. No database hit unless the token is valid

Cons

DRF's builtin Token Authentication

  1. Database hit on all requests
  2. Single token for all sessions

DRF JWT Token Authentication

  1. Unable to recall the token without tracking it in the database
  2. Once the token is issued, anyone with the token can make requests
  3. Specs are open to interpretations, no consensus on how to do refresh
Incurve answered 8/11, 2016 at 20:22 Comment(5)
Sorry, I don't understand your answer. Could you clarify? Do you mean with option 1 you need to remember the user in a session, while for option 2 you just check the username in the URL of the request, so no session is required for option 2?Reprove
@SanderVandenHautte I added more details to my answer. Hope it helpsIncurve
Thanks! That's helpful.Reprove
@un33k can you elaborate this? > Specs are open to interpretations, no consensus on how to do refreshInsomniac
@Insomniac this is a complex topic and stackoverflow is not the right place for a detailed analysis. Please use the above as a reference for the Pros & Cons. Then you can refer to your design needs and the packages to figure out what is best for you. Please note that there is no silver bullet for authentication and anything you pick will have side effects. The mission is to minimize the side effects for your requirements. If I were to recommend something it would be signed-http cookies for authentication and JWT for authorization. Cookie valid for 2 weeks, JWT refreshed every 15 min.Incurve
L
-5

Django provides two commonly used methods for handling authentication: Token Authentication and JSON Web Tokens (JWT) Authentication. Each has its own strengths and use cases, and the choice between them depends on your application's requirements. Here's a comparison of the two:

  1. Token Authentication:

    • Stateless: Token Authentication is typically implemented using a database table to store user tokens. Each token is associated with a specific user and has an expiration date. It doesn't require server-side storage of session data.

    • Scalability: Because Token Authentication is stateless, it can be more easily scaled horizontally. You can add more servers to handle increased traffic without worrying about session management.

    • Simple: Token Authentication is relatively simple to implement in Django. Django provides built-in support for token authentication through the Token model.

    • Limited Information: Tokens usually only contain basic information about the user, such as their user ID. If you need to include additional user data in the token, you'll need to query the database for each request.

    • Lack of Standard: Unlike JWT, Token Authentication does not have a standardized format, so you may need to handle token creation and validation manually.

  2. JWT (JSON Web Tokens) Authentication:

    • Stateless: Like Token Authentication, JWT is stateless. It doesn't require server-side storage of session data.

    • Self-Contained: JWTs are self-contained and can store additional user data (claims) within the token itself. This means that once you decode a JWT, you have access to user information without the need for an additional database query.

    • Standardized: JWT is an open standard (RFC 7519) with well-defined structures and libraries available for multiple programming languages, making it a good choice for interoperability.

    • Security: JWTs can be signed and optionally encrypted, providing a higher level of security. They are resistant to tampering, as any modification of the token can be detected during verification.

    • Complexity: Implementing JWT can be more complex than Token Authentication, especially when it comes to key management and token validation.

In summary, Token Authentication is a simpler choice for basic use cases where you don't need to store additional user data in the token and don't require a standardized format. JWT Authentication, on the other hand, is a more powerful and flexible option that's suitable for applications that require self-contained tokens, standardized formats, and enhanced security features.

Your choice between these two methods should depend on the specific requirements of your application and your familiarity with the technologies involved.

Latashalatashia answered 25/9, 2023 at 10:4 Comment(1)
AI-generated answers are not accepted on this site. See stackoverflow.com/help/gpt-policyNessa

© 2022 - 2024 — McMap. All rights reserved.