HTTPS or JWT for authentication?

Question

I'm going to implement my authentication method using JWTs in node js. I was searching a while for different methods of authentication and finally decide to use JWTs. However I am confused about the JWT based authentication.

Here's my question : Should we send our JWT over HTTPS? if yes, then why should we use JWT at all ? and why not sending all needed information over HTTPS without JWT ?

In other words when there is security issues without HTTPS (like man-in-the-middle attack), what is the reason of using JWT for authentication purposes? is there any other authentication approach which works perfectly without using HTTPS?

Answer 1

To expand on @gusto2

JWT and HTTPS accomplish different goals. Three major components of security systems.

• C - Confidentiality - Is data secure from outsiders reading it?
• I - Integrity - Is data secure from outsiders tampering with it?
• A - Authenticity - Is data sent from the proper person

HTTPS ensures confidentiality and integrity. JWT helps with authenticity. However, it is your job to ensure that tokens are valid. This is not provided out of the box.

Answer 2

“and why not sending all needed information over HTTPS without JWT ?”

I think the main point is that Restful or API based interaction is stateless. So in all interaction server needs to get the token to know the authenticity. And for authenticity that all requests are coming from logged in authentic user it needs to get same JWT.

Hence answer to the question in OP as Daniel said is for Authenticity.

In normal form based request we do not use token, why? Because it is stateful and we save information in session or cookies. But APIs are stateless so some token needs to be sent.