Django: DRF Token Based Authentication VS JSON Web Token
I am creating a real world application where users will access the application mainly from Android, iOS devices as well as desktop computers.
From my rudimentary research, I realized that the token-based authentication mechanism is superior and elegant for client-server models compared to session-based authentication.
In Django, I have found two popular ways to do this -
- http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
- http://getblimp.github.io/django-rest-framework-jwt/
From what I understood, option 2] is an extension of 1], except that the token is in JSON form (serialized). I would like to understand what other differences exist between option 1] and 2] and the advantages / disadvantages of choosing.
source to share
They both perform similar tasks with minor differences.
Marker
Built-in DRF Authentication Authentication
- One token for all sessions
- No timestamp on token
DRF JWT Token Authentication
- One token per session
- Expiration timestamp for each token
Database access
Built-in DRF Authentication Authentication
- Accessing the database to retrieve the user associated with the token
- Check user status
- User Authentication
DRF JWT Token Authentication
- Decode token (get payload)
- Check token timestamp (expiration)
- Database access to retrieve user associated with id in payload
- Check user status
- User Authentication
Arguments
Built-in DRF Authentication Authentication
- Allows you to force logout by replacing the token in the database (for example: changing the password)
DRF JWT Token Authentication
- Expiration current
- No database will fail if the token is valid.
against
Built-in DRF Authentication Authentication
- Database hit all queries
- Single token for all sessions
DRF JWT Token Authentication
- Cannot invoke token without tracking it in the database
- Once the token is issued, anyone with the token can make requests
- Specifications are open to interpretation, no consensus on how to update
source to share