1

I am trying to understand the difference between Cookies; Bearer and JWT specifically in a .NET Core context. I have spent a few days reading up on this.

My research is telling me that Cookies and Bearer are alternative authentication mechanisms, which are both represented as JWT.

Is it fair to say that .NET Core web applications should use Cookies and .NET Core Web APIs should use Bearer? The reason I ask is because every single example I have looked at for Bearer (in a .NET Core context) uses Web API and every single example I have looked at for Cookies (in a .NET Core context) uses web applications. I can understand this because my research tells me that cookies are most suited for web apps (which use browsers - best for cookies), however web apis can be consumed by none browser apps (therefore Bearer is more suitable).

Have I understood this correctly?

I have looked at many other questions today similar to this e.g. this one: JWT vs cookies for token-based authentication. However, none have answered my specific question - Would Cookies ever be used for Web APIs and would Bearer tokens ever be used for web applications?

w0051977
  • 15,099
  • 32
  • 152
  • 329
  • I store the JWT token in a cookie (can also be local storage ) and when i make a request to a controller that has the authorisation attribute, i create a request with the "Authorization" header with the value of the token. Regarding your question however you can secure an Api application using cookies: https://www.blinkingcaret.com/2018/07/18/secure-an-asp-net-core-web-api-using-cookies/ – Daniaal Jul 27 '19 at 19:16
  • @Daniaal, thanks. Can you secure a web app (not api) with bearer? That is more my question. – w0051977 Jul 27 '19 at 19:31
  • As far as i am aware, it would be cookies. Typically bearer tokens such as JWT are associated with Web Api authentication. – Daniaal Jul 27 '19 at 21:15

1 Answers1

0

A bearer token is a type of access token. The notion of a bearer token was popularized by oAuth:

Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key).

Translation: you don't have to prove your identity to access a resource, the bearer token is enough to get you in.

JWT is a format for representing claims with rules regarding encoding, content and so on; it can be used as a bearer token. A cookie is a way of managing state in HTTP. The cookie could contain a JWT or a more generic flavor of a bearer token or it could contain none of the above.

Could one use cookies for authorizing access to REST APIs? (.NET Core Web APIs are REST APIs). The answer is yes - it's technically possible. Here's an old but still decent discussion on the subject (+a more recent and specific Q&A).

Could a bearer token be used for authorizing access to a web app, presumably in an interactive scenario with a human wielding a user agent? Again the answer yes - it's possible. If the web app is designed to do so, it could serve a protected resource if you send your bearer token in, say, an Authorization header. No cookies are involved. The first half of this blog is a good discussion on session-based (cookies) vs token-based (stateless) authentication options in a webapp.

Community
  • 1
  • 1
identigral
  • 3,920
  • 16
  • 31
  • Could you clarify what you mean by "a human yielding a user agent" and "an interactive scenario". – w0051977 Jul 28 '19 at 06:50
  • User launches a web browser on their desktop, navigates to https://blah.my.webapp.com , enters their credentials and logs in. This is "a human wielding a user agent in an interactive scenario". – identigral Jul 28 '19 at 07:10
  • OK, but that is how any website works? Also where would the bearer token be stored? The way I see it is that cookies have to be used for the web app side, but I could be missing something? – w0051977 Jul 28 '19 at 07:32
  • Cookies are usually used by webapps for session management, yes. You asked about bearer tokens instead of cookies. see the linked blog for how it could work. – identigral Jul 28 '19 at 08:03