So why should I use JSON Web Tokens?
I thought that this was a really interesting question, and the response was not immediately obvious to me, so I thought it worth exploring a bit more. Here's my perspective...
In choosing to use JSON Web Tokens (JWT) you're choosing to not use the alternatives, i.e. Security Assertion Markup Language (SAML) tokens or Simple Web Tokens (SWT). So the benefits, in my mind at least, need to be considered in relation to the above, and also in the use case context.
The Security Perspective - JWT and SAML tokens are both able to use public/private key pairs of X509 certificates so I think there's little obvious difference between them. SWT on the other hand has an obvious limitation of using symmetric pre-shared secrets with HMAC which means problems with scalability.
Processing Perspective - JSON tends to be a smaller payload when encoded which makes JWT more compact than SAML. The smaller size means it's easier to transport and consume.
Client-side Perspective - Processing of JWT, especially on mobile devices, is straight forward given the availability of JSON parsers on numerous platforms and devices. This isn't the case for SAML.
Did I miss anything? Feedback appreciated...
Software Engineering Manager | ASP.NET Core | C# | NodeJs | Angular
8 年I agree with Michal.
Senior Director, Shared Services at Eutelsat Group
8 年Yes, you missed something (kind of covered by Michal): maturity. It can take a *very* long time before the security wrinkles are ironed out of a new technology - will JSON be around long enough for its security bolt-ons to become mature? Or will some newfangled thing come along before then?