The JSON-based Identity Protocol Suite

The JSON-based Identity Protocol SuiteBy Travis Spencer

Copyright © 2013 Twobo Technologies AB.

Overview of the Protocol Suite JavaScript Object Notation (JSON) – Data

encoding format popularized by AJAX & REST

All being defined in IETF

Used to encode OAuth 2.0 security model Tokens (JWT) ▪ Encryption (JWE) Keys (JWK) ▪ Signatures (JWS)

OAuth 2.0 Bearer Token spec binds it to OAuth

Basis of OAuth and OpenID Connect

Copyright © 2013 Twobo Technologies AB.

Overview of JWT

JWT – pronounced “jot” – are lightweight tokens passed in HTTP headers & query strings

Three basic sections – header, claims, signature

Akin to SAML tokens Less expressive Less security options Encoded w/ JSON not XML for compactness

Copyright © 2013 Twobo Technologies AB.

JWT Token

Basic Layout & Wire Format

Header

Claims

Crypto

base64url(Header) + “.” + base64url(Claims) + “.” +

base64url(Crypto)

Copyright © 2013 Twobo Technologies AB.

Claims Section

Reserved (but optional) claim names Expiration time (exp) ▪ Issuer (iss) Not before (nbf) ▪ Type (typ) Issued at (iat) ▪ Audience (aud)

Public claim names IANA JWT claims registry Domain name, OID, or UUID

Private claim names – Any unused name

Value can be any JSON type

Copyright © 2013 Twobo Technologies AB.

Overview of JWE

Used to encrypt JWTs

Supports symmetric & asymmetric encryption

Three basic sections – header, key, ciphertext

Plaintext may be signed first

Encryption algorithm RSA1_5 ▪ A(128|256)KW RSA-OAEP ▪ A(128|256)GCM ECDH-ES

Cyphertext is put in the crypto section of the JWT

Copyright © 2013 Twobo Technologies AB.

JWE

Basic Layout & Wire Format

Header

Key

Ciphertext

JWE = base64url(Header) + “.” + base64url(Key) + “.” + base64url(Ciphertext)

Copyright © 2013 Twobo Technologies AB.

Overview of JWK

Array of public keys encoded as JSON objects

Intended for inclusion in JWS for signature verification

Explicit support for Elliptic Curve and RSA keys

Copyright © 2013 Twobo Technologies AB.

JWK Example

{“keyvalues” :

[

{“algorithm” : “EC”,

“curve” : “P-256”,

“x” : “…”,

“y” : “…”,

“use” : “encryption”,

“keyid” : “1”},

{“algorithm” : “RSA”,

“modulus” : “…”,

“exponent” : “…”,

“keyid” : “…”}

]

}Copyright © 2013 Twobo Technologies AB.

Overview of JWS

Header input is JWT header

Payload input is JWT claims

Output is appended to JWT inputs & (optionally) points to the JWK that was used

Supports symmetric & asymmetric signing algorithms HMAC SHA ▪ RSA SHA ECDSA w/ curve P & SHA

Copyright © 2013 Twobo Technologies AB.

JWS

Basic Layout & Wire Format

Header

Payload

JWS = base64url(sig(base64url(Header) + “.” + base64url(Payload)))Copyright © 2013 Twobo Technologies AB.

Questions & Thanks

@2botech

@travisspencer

www.2botech.com

www.travisspencer.comCopyright © 2013 Twobo Technologies AB.

?