HTTPS or JWT for authentication?

Question

I'm going to implement my authentication method using JWTs in node js. I was searching a while for different methods of authentication and finally decide to use JWTs. However I am confused about the JWT based authentication.

Here's my question : Should we send our JWT over HTTPS? if yes, then why should we use JWT at all ? and why not sending all needed information over HTTPS without JWT ?

In other words when there is security issues without HTTPS (like man-in-the-middle attack), what is the reason of using JWT for authentication purposes? is there any other authentication approach which works perfectly without using HTTPS?

Answer 1

Here you are mixing two different protocol levels.

HTTPS (or rather TLS - transport level security) is a transport layer - data transport pipe ensuring you communicate with a legitimate server and that nobody could read or change the data exchanged. HTTPS doesn't care about data itself (e. g. authentication)

JWT is commonly used as part of the payload (data itself) describing client's identity and other attributes.

Most commonly you need both - JWT to ensure authentication or authorization and TLS/HTTPS to ensure that nobody could steal or change your JWT token or data.

HTTPS could provide client authentication, but the client needs to have its client keypair and certificate which is not really free or easy to manage (e. g. this is how electronic ID cards work or I see it often in the server-to-server scenarios).

Answer 2

To expand on @gusto2

JWT and HTTPS accomplish different goals. Three major components of security systems.

• C - Confidentiality - Is data secure from outsiders reading it?
• I - Integrity - Is data secure from outsiders tampering with it?
• A - Authenticity - Is data sent from the proper person

HTTPS ensures confidentiality and integrity. JWT helps with authenticity. However, it is your job to ensure that tokens are valid. This is not provided out of the box.