November 27, 2020

JWT vs SAML vs SWT

Comparison of JSON Web Tokens (JWT), Simple Web Tokens (SWT), and Security Assertion Markup Language Tokens (SAML).

As JSON is less verbose than XML, when it is encoded its size is also smaller, making JWT more compact than SAML. This makes JWT a good choice to be passed in HTML and HTTP environments.

Security-wise, SWT can only be symmetrically signed by a shared secret using the HMAC algorithm. However, JWT and SAML tokens can use a public/private key pair in the form of a X.509 certificate for signing. Signing XML with XML Digital Signature without introducing obscure security holes is very difficult when compared to the simplicity of signing JSON.

JSON parsers are common in most programming languages because they map directly to objects. Conversely, XML doesn’t have a natural document-to-object mapping. This makes it easier to work with JWT than SAML assertions.

Regarding usage, JWT is used at Internet scale. This highlights the ease of client-side processing of the JSON Web token on multiple platforms, especially mobile.

JWT

Web Tokens (JWT)

  • asymmetric public/private cert
  • small = great for mobile
  • JSON parsers are common in most programming languages because they map directly to objects and models in MVC

SAML

Security Assertion Markup Language Tokens

  • asymmetric public/private cert

SWT

Simple Web Tokens (SWT)

  • can only be symmetrically signed by a shared secret using the HMAC algorithm