Read this earlier post on Web Services Security.

There are a couple of major difference between a token and a certificate.

Tokens are essentially a symmetric key.  That means that the same key has to be both on the client and the server to be able to authenticate users.

Token Based Authentication

If you understand session based authentication, you almost understand token based authentication. Both sessions and tokens enable imposing ‘state’ onto a normally stateless HTTP request.  The state contains the authorized access of the end user.

With session authentication, the user state is handled on the server-side.

With tokens, the state is managed on the client-side. 

This also makes tokens more susceptible to hacking.

How and where is the token generated?

Like the session id, the server is where the JWT (JSON web token) is generated (using a private key on the server). It is sent to the browser client, where the browser stores it and re-sends it with future requests (in the Authorization header)

{

method: GET

HEADERS:

{"Authorization":Bearer ${JWT_TOKEN}" }

}

Certificate Based Authentication

Certificates use an asymmetric set of keys (as opposed the symmetric keys used by Token based encryption). Certificates are based on public-key cryptography. The client keeps possession of the private, which is never shared by anyone else.

The public key is sent to the Certificate Authority to be signed and stamped into a certificate (which also contains an encrypted PRIVATE key of the CA).

Server challenges the client to prove it’s identity –>  Client signs a ‘challenge response’ using it’s own private key –> Server can check that it was indeed signed by the client, using the client’s public key to decrypt the signed ‘challenge response’.

In entire message based security, (e.g. WS-Security), instead of just signing a ‘challenge’, the client signs the entirety of the message that’s sent by the server. (The exact flow (using WCF in .NET) is decribed in detail here.)

Summary

Both Certificate based and token based authentication have important uses in today’s authentication flows. This post tries to clarify some key differences between the two.

 

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.