Difference "Login/Register" and JWT Authentication?
Hey, I am very new to these kind of stuff, and i have a question.
What exactly is the difference between a "login/register" process and a JWT Authentication.
And why do some people use them both?
58 Replies
apples and pears
login/register is the actual process of... logging in and registering
JWT authentication one of many options to use to authenticate your user, after they have logged in
ie, how do you know if a user has logged in? what information do they have that they can use to prove their identity
the classic answer is a cookie
but cookies cant be trusted, so you'll read that value and compare it to some other value you have maybe in a database and thats how you tell
this means you do a database call for every single request that user makes, just to check if they are who they claim they are
JWTs is an attempt at a solution for that, you give the user a long, partially signed json blob that you then base64 encode
the user then attaches that string to all their requests. Now here is the important part. that string contains info about the user
and because its partially signed, you can check that the original content has not been modified by the user, and as long as its not modified, you can trust the data inside it
that usually includes user identity, but also what access levels and permissions they have
so no database call needed. everyone happy ye?
problem: JWTs can't be easily revoked
what if a user logs in, lets say their token lasts 4 hours
and then you want to ban the user
but they already have a valid token that lasts 4 hours. they cant get a new one, as they have been banned, but the current one cant be revoked, without actually checking a revocation list on every request...
and we're back at square one
But if someone logs into MY account then he will get the JWT token anyways, so what's the point of implementing the "authentication" part
to log in to your account, he would need your username and password
hopefully those are not public knowledge
Yes, but i still don't really get why we need the JWT for. I mean I can just check at the beginning if the username and password are the correct ones and let him in
"let him in"
how do you actually do that
do they have to submit username and password for each and every request?
just at the beginning and then they have access to the whole web app for example
until they logout
right, but how do you know they are logged in?
and who they are logged in as
true, you wouldn't know it then
there is no way to know it if you do it as I said
so you just have a "JSON" in that token and there is maybe idk username
and he uses it for every request
ignore tokens and stuff for now
here is a crappy drawing
so, we go to login and type in our email and password. lets say that its valid and the correct login information for an admin
what must the server do now?
we must give the user something they can use to prove their identity
oh
so you know what „permissions“ which user has
or am i wrong
maybe, but not neccesarily
do you know what a cookie is in HTTP terms?
I only know that a server sends data to the client, and it gets saved
and they dont really have to login again for example, so i guess it saves kind of user-data
ok so the basic flow is...
Client sends a request to the server. This contains a bunch of non-content info we usually call "headers", and then it contains an optional "body"
here is an example:
alright
soooo
cookies are... weird.
as part of a server response, the server can ask the client to "save some data, and then send it back to me in all requests to my domain"
i see so the user doesnt have to do it every time
yeah
alr
Ah okay
so the classic way of doing authentication is to use a cookie
usually, we just write down some long random value there
and if the user has a valid cookie, we take that value and look in the database/session cache for it
imagine a dictionary
Dictionary<string,User> almost
where if we get a hit, we know who the user is, without them being able to change it manually
its not a username, so tehy cant edit itI understand (I have 1 more question, but have to finish a task rq)
btw u should be my teacher at my school rn 😂
So lets say I have a webapp for writing down notes.
There is a login-system, if the user logs in it gets a "cookie", with that cookie we know where we should save the taken notes in the database and which notes we show the user.
did I roughly understand it? :p
yes, but you skipped a step
that cookie uniquely identifies the user, so we can, by looking at that cookie, tell who the user is
when we save the notes, we associate them with that users
UserId for exampleI see
so the JWT is in the cookie?
no, this doesnt involve JWTs at all
err
fix'd
this was classic cookie-based authentication
ah okay
JWTs are different but similar
its still some text the client must send to the server
but instead of just being a random value, it contains a bunch of signed information, like permissions etc
this means we dont need to look it up in the database at the start of every request
so its more efficient
yeah, especially if you dont care about revocation
alright
The big benefit of JWTs is for microservices or other distributed systems thou
because you can check that the token is valid without having access to the user database
Is there a max storage for an JWT
yeah
so basically I got a project from my school where I should create a webapp (.NET Core & React) with a user-login system.
my teacher said I could use JWT for it. And then I started reading and kind of mixed everything and I didn't really know what to do. :p
So I will start my project today, the first step would be then a Loginpage and saving the credentials and after that a authentication-system (cookie, JWT or whatever)
.NET Core has a "plugin" package called Identity that does most if not all of this for you
Ah that would help
I am doing a similar project like this "note webapp" example we talked about
I just need a user. The user saves stuff on the webapp and thats pretty much it
note that identity doesn't have a way to issue JWTs out of the box as far as i know
it has a token option, but they aren't JWTs specifically
true
(it doesn't mean you can't use JWTs with identity but you'd have to write the code to create them yourself)
oh, I see
thank you
you don't specifically need JWTs for this project thou
their unique ability of being proven valid without having access to the database isnt a problem for you 😛
since this isnt a distributed system you are making
Well we will continue building the webapp and in the end it will be used by students xddd
Are there any good documentations for implementing Authorization/Authentication? Since it will be my first project, I should do it correct 
really matter what I use
really matter what I useis the requirement to implement it on your own or can you use something that already exists?
I dont have a requirement like that, at the end it should just work and I should know how it "works" and explain.
oh thats great
Does the implementation change dependent on what I use for frontend?
depends on what you mean by frontend
react vs vue vs some other JS framework, no
not having a js framework at all, maybe
I use react
have to use react*
My friend had like 2 different projects 1 for Backend and 1 for Frontend.
But there is a template in VS with 1 project for backend and frontend. Does it make a difference
no, if you're using react the backend and frontend are already "separate"
the difference is essentially whether you have an app that makes requests to an API or an app that returns HTML directly
I see, thank you
I will try to implement this https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-8.0 in my project ^^
Use Identity to secure a Web API backend for SPAs
Learn how to use Identity to secure a Web API backend for single page applications (SPAs).
Thank you for helping both of you! It really means a lot to me
And sorry if I asked "dumb" questions 😅
The React, asp.net core template supports .net7 not 8 :(
that template is generally outdated btw
but you could prob create it and just update the 7 to an 8
is there a new template
oh, i see