I'm learning purpose of JWT tokens in ASP.NET Core, but I don't understand one thing. Why does every blog calling JWT authentication? If we pass a token to an authenticated (logged-in) user. I mean why JWT is not authorization but authentication? Can't understand which point I'm skipping in this topic.
CodePudding user response:
In a typical implementation, the JWT token that you create for a signed in user will be sent with every subsequent request. The purpose is that you want to make sure that the party that sends the request is actually who they are claiming to be - ie. you want to authenticate requests.
Strictly speaking, without this, you could not do authorization, or well, you could, but it wouldn't make much sense if you just beleived who the caller was instead of checking (authenticating).
CodePudding user response:
JSON Web Token (JWT) is called authentication because it is commonly used for authenticating users. JWT is a type of token-based authentication that uses a signed and encoded JSON object to identify a user and to verify their identity.
When a user logs into an application or website, the server generates a JWT and sends it to the user's browser. The JWT contains information about the user, such as their user ID, their role, and their permissions. The JWT also contains a digital signature that is used to verify the authenticity of the token.
When the user makes a request to the server, they include the JWT in the request header. The server then verifies the JWT using the digital signature to ensure that it has not been tampered with. If the JWT is valid, the server trusts that the user is who they claim to be and grants them access to the requested resources.
This process of generating, sending, and verifying JWTs is called authentication, because it is used to authenticate the user's identity and to grant them access to the protected resources on the server. JWT is called authentication because it is a common and effective way of implementing authentication for web applications and APIs.
CodePudding user response:
JWT tokens are used for authentication and authorization. When a user logs in to an application using their credentials, the application generates a JWT token and sends it back to the user. This token contains information about the user, such as their user id and other claims, and is signed by the application.
The user can then use this token to authenticate themselves to the application for subsequent requests. The application can verify the token to ensure that it is valid and has not been tampered with.
In addition to authentication, JWT tokens can also be used for authorization. The claims in the token can be used to determine what actions the user is allowed to perform within the application. For example, the token may contain a claim indicating that the user has admin privileges, which the application can use to grant the user access to admin-only functionality.
So, while JWT tokens are primarily used for authentication, they can also be used for authorization.