Session IDs/ Cookies
JWT Pros:
- Easy to code both the client and server.
- Easy to destroy a session when someone logs out.
Session Cons:
- The server side periodically needs to delete expired sessions where the client didn't logout.
- Every HTTP request requires a lookup to the data store.
- Storage requirements grow as more users have active sessions.
- If there are multiple front end HTTP servers the stored session data needs to be accessible by all of them. This could be a bit more work than storing it on one server. The bigger issues are the data store becomes a single point of failure and it can become a bottleneck.
JSON Web Tokens (JWT)
In the second case the data is stored in a JWT that is passed around instead of on the server.
JWT Pros :
- The server side storage issues are gone.
- The client side code is easy.
JWT Cons:
- The JWT size could be larger than a session ID. It could affect network performance since it is included with each HTTP request.
- The data stored in the JWT is readable by the client. This may be an issue.
- The server side needs code to generate, validate, and read JWTs. It's not hard but there is a bit of a learning curve and security depends on it.Anyone who gets a copy of the signing key can create JWTs. You might not know when this happens.There was (is?) a bug in some libraries that accepted any JWT signed with the "none" algorithm so anyone could create JWTs that the server would trust.
- In order to revoke a JWT before it expires you need to use a revocation list. This gets you back to the server side storage issues you were trying to avoid.
OAuth 2
Often OAuth is used for authentication (i.e. identity) but it can be used to share other data like a list of content the user has purchased and is entitled to download. It can also be used to grant access to write to data stored by the third party. You might use OAuth to authenticate users and then use server side storage or JWT for the session data.
Oauth 2 Pros :
- No code for users to signup or reset their password.
- No code to send an email with a validation link and then validate the address.
- Users do not need to learn/write-down another username and password.
Oauth 2 Cons:
- You depend on the third party in order for your users to use your service. If their service goes down or they discontinue it then you need to figure something else out. Eg: how do you migrate the user's account data if their identity changes from "foo@a.com" to "bar@b.com"?
- Usually you have to write code for each provider. eg Google, Facebook, Twitter.
- You or your users might have privacy concerns. The providers know which of their users use your service.
- You are trusting the provider. It is possible for a provider to issue tokens that are valid for one user to someone else. This could be for lawful purposes or not.
Miscellaneous
- Both session IDs and JWTs can be copied and used by multiple users. You can store the client IP address in a JWT and validate it but that prevents clients from roaming from say Wi-Fi to cellular.
