JWT is a simple authentication protocol, Oauth is an authentication framework.

JWT 是一个简单的认证协议，Oauth 是一个认证框架。

An experienced developer will take about a month to fully understand and implement Oauth. An experienced developer can pick up the JWT protocol in about a day of reading the specifications. So basically, it boils down to your specific use-case.

经验丰富的开发人员需要大约一个月的时间才能完全理解和实施 Oauth。有经验的开发人员可以在阅读规范的大约一天内掌握 JWT 协议。所以基本上，它归结为您的特定用例。

If you want simple stateless http authentication to an api, then JWT is just fine and relatively quick to implement, even for a novice developer.

如果您想要对 api 进行简单的无状态 http 身份验证，那么 JWT 就很好并且实现起来相对较快，即使对于新手开发人员也是如此。

A few JWT resources for you:

为您提供一些 JWT 资源：

• http://jwt.io/
• https://auth0.com/docs
• http://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs

• http://jwt.io/
• https://auth0.com/docs
• http://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs

And an Oauth resource:

还有一个 Oauth 资源：

• http://tutorials.jenkov.com/oauth2/overview.html

• http://tutorials.jenkov.com/oauth2/overview.html

JWT stands for JSON Web Token as the name suggest it is only a token for transferring secured data among two parties, that is client and server.

JWT 代表 JSON Web Token，顾名思义，它只是用于在客户端和服务器两方之间传输安全数据的令牌。

Oauth2 on other had is a set of rules or a procedure commonly called a framework that help to authenticate and authorize two parties to transfer secured data.

另一方面，Oauth2 是一组规则或程序，通常称为框架，可帮助验证和授权两方传输安全数据。

Following diagram will explain how oauth2 works

下图将解释 oauth2 的工作原理

Here is a more detailed explanation of the steps in the diagram:

以下是对图中步骤的更详细说明：

1. The application requests authorization to access service resources from the user
2. If the user authorized the request, the application receives an authorization grant
3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant
4. If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete.
5. The application requests the resource from the resource server (API) and presents the access token for authentication
6. If the access token is valid, the resource server (API) serves the resource to the application

1. 应用向用户请求访问服务资源的授权
2. 如果用户授权了请求，应用程序会收到授权许可
3. 应用程序通过提供自己身份的身份验证和授权许可，从授权服务器 (API) 请求访问令牌
4. 如果应用程序身份已通过身份验证并且授权许可有效，则授权服务器 (API) 会向应用程序颁发访问令牌。授权完成。
5. 应用程序从资源服务器 (API) 请求资源并提供访问令牌以进行身份​​验证
6. 如果访问令牌有效，则资源服务器 (API) 将资源提供给应用程序

Both these can be used together in transferring secure data.

这两者可以一起用于传输安全数据。

Where JWT come into play in 3rd 6th steps of oauth2

JWT 在 oauth2 的第 3 6 步中发挥作用的地方

JSON Web Token (JWT)is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

JSON Web Token (JWT)是一种开放标准 (RFC 7519)，它定义了一种紧凑且自包含的方式，用于在各方之间作为 JSON 对象安全地传输信息。由于此信息经过数字签名，因此可以验证和信任。JWT 可以使用秘密（使用 HMAC 算法）或使用 RSA 的公钥/私钥对进行签名。

OAuth 2.0is protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification is being developed within the IETF OAuth WG.

OAuth 2.0是授权协议。OAuth 2.0 取代了在 2006 年创建的原始 OAuth 协议上所做的工作。OAuth 2.0 专注于客户端开发人员的简单性，同时为 Web 应用程序、桌面应用程序、移动电话和客厅设备提供特定的授权流程。该规范正在 IETF OAuth WG 内开发。

- The OAuth We have different types of tokens.

- OAuth 我们有不同类型的令牌。

1) WS-Security tokens, especially SAML tokens

1) WS-Security 令牌，尤其是 SAML 令牌

2) JWT tokens

2) JWT 代币

3) Legacy tokens

3) 传统代币

4) Custom tokens

4) 自定义代币

The most important thing to understand when comparing JWT and OAuth2, is that they are not alike. Or even incompatible.

比较 JWT 和 OAuth2 时要了解的最重要的事情是它们不同。甚至不兼容。

JWT is an authentication protocolThis means it is a strict set of instructions for the issuing and validating of signed access tokens. The tokens contain claims that are used by an app to limit access to a user.

JWT 是一种身份验证协议，这意味着它是一组严格的指令，用于发布和验证已签名的访问令牌。令牌包含应用程序用来限制用户访问的声明。

**OAuth2 is an Authorization Framework ** OAuth2 on the other hand is a framework, think very detailed guideline, for letting users and applications authorize specific permissions to other applications in both private and public settings.

**OAuth2 是一个授权框架 ** 另一方面，OAuth2 是一个框架，认为非常详细的指南，用于让用户和应用程序在私有和公共设置中向其他应用程序授权特定权限。

Few good links:

几个不错的链接：

• [1]: https://community.apigee.com/questions/21139/jwt-vs-oauth.html

• [2]: https://youtu.be/XGmUlyggXVo

• [3]: http://www.seedbox.com/en/blog/2015/06/05/oauth-2-vs-json-web-tokens-comment-securiser-un-api/

• [1]：https: //community.apigee.com/questions/21139/jwt-vs-oauth.html

• [2]：https: //youtu.be/XGmUlyggXVo

• [3]：http: //www.seedbox.com/en/blog/2015/06/05/oauth-2-vs-json-web-tokens-comment-securiser-un-api/