Upload
twobo-technologies
View
773
Download
3
Embed Size (px)
DESCRIPTION
An overview of the JSON-based identity protocol suite, including JWT, JWE, JWK, etc.
Citation preview
The JSON-based Identity Protocol SuiteBy Travis Spencer
Copyright © 2013 Twobo Technologies AB.
Overview of the Protocol Suite JavaScript Object Notation (JSON) – Data
encoding format popularized by AJAX & REST
All being defined in IETF
Used to encode OAuth 2.0 security model Tokens (JWT) ▪ Encryption (JWE) Keys (JWK) ▪ Signatures (JWS)
OAuth 2.0 Bearer Token spec binds it to OAuth
Basis of OAuth and OpenID Connect
Copyright © 2013 Twobo Technologies AB.
Overview of JWT
JWT – pronounced “jot” – are lightweight tokens passed in HTTP headers & query strings
Three basic sections – header, claims, signature
Akin to SAML tokens Less expressive Less security options Encoded w/ JSON not XML for compactness
Copyright © 2013 Twobo Technologies AB.
JWT Token
Basic Layout & Wire Format
Header
Claims
Crypto
base64url(Header) + “.” + base64url(Claims) + “.” +
base64url(Crypto)
Copyright © 2013 Twobo Technologies AB.
Claims Section
Reserved (but optional) claim names Expiration time (exp) ▪ Issuer (iss) Not before (nbf) ▪ Type (typ) Issued at (iat) ▪ Audience (aud)
Public claim names IANA JWT claims registry Domain name, OID, or UUID
Private claim names – Any unused name
Value can be any JSON type
Copyright © 2013 Twobo Technologies AB.
Overview of JWE
Used to encrypt JWTs
Supports symmetric & asymmetric encryption
Three basic sections – header, key, ciphertext
Plaintext may be signed first
Encryption algorithm RSA1_5 ▪ A(128|256)KW RSA-OAEP ▪ A(128|256)GCM ECDH-ES
Cyphertext is put in the crypto section of the JWT
Copyright © 2013 Twobo Technologies AB.
JWE
Basic Layout & Wire Format
Header
Key
Ciphertext
JWE = base64url(Header) + “.” + base64url(Key) + “.” + base64url(Ciphertext)
Copyright © 2013 Twobo Technologies AB.
Overview of JWK
Array of public keys encoded as JSON objects
Intended for inclusion in JWS for signature verification
Explicit support for Elliptic Curve and RSA keys
Copyright © 2013 Twobo Technologies AB.
JWK Example
{“keyvalues” :
[
{“algorithm” : “EC”,
“curve” : “P-256”,
“x” : “…”,
“y” : “…”,
“use” : “encryption”,
“keyid” : “1”},
{“algorithm” : “RSA”,
“modulus” : “…”,
“exponent” : “…”,
“keyid” : “…”}
]
}Copyright © 2013 Twobo Technologies AB.
Overview of JWS
Header input is JWT header
Payload input is JWT claims
Output is appended to JWT inputs & (optionally) points to the JWK that was used
Supports symmetric & asymmetric signing algorithms HMAC SHA ▪ RSA SHA ECDSA w/ curve P & SHA
Copyright © 2013 Twobo Technologies AB.
JWS
Basic Layout & Wire Format
Header
Payload
JWS = base64url(sig(base64url(Header) + “.” + base64url(Payload)))Copyright © 2013 Twobo Technologies AB.
Questions & Thanks
@2botech
@travisspencer
www.2botech.com
www.travisspencer.comCopyright © 2013 Twobo Technologies AB.
?