HI Nathaniel, Let's make one thing clear first:
OAuth is for authorization, *not* for authentication. OAuth 2.0 can form the basis of OpenID Connect, which in turn is for authentication. To understand the difference, read these pages: - https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611 - https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc Now that we have that out of the way, I'm going to give my 2 cents: JWT is one type of token. Ultimately OpenID Connect also gives you a token. So the question is really sessions vs tokens. With sessions, your application has full control over the validity of the session. With tokens, you're supposed to trust the validity of the token for the validity period specified in the token. With tokens, your client usually needs to attach the token in an Authorization header in the HTTP request. With sessions, the session ID is usually stored in the cookie, and it's usually automatically sent with each HTTP request; no other data needs to be specifically attached or sent. Tokens can get quite large, you don't want to be shuttling the token back and forth for every request. One recommended practice is to use the token to exchange for a Django session, and then just keep using the session afterwards. Best Regards, Kal On Tue, 31 Dec 2019 at 12:33, nathaniel suarez <nate.suare...@gmail.com> wrote: > which authentication is best to use and secure? sessions, tokens, oauth or > jwt > > -- > You received this message because you are subscribed to the Google Groups > "Django REST framework" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-rest-framework+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-rest-framework/4b60f826-b069-42b9-95f8-9f5cc775b048%40googlegroups.com > <https://groups.google.com/d/msgid/django-rest-framework/4b60f826-b069-42b9-95f8-9f5cc775b048%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/CAGZiy72F4%3Di6R8gcHuX44cnS_Cof1zyGow9oWW9-i2PtN%2BhL8Q%40mail.gmail.com.
