JWT

JSON Web Token

code.ryan.lee@gmail.com

Introduction

JWT - JSON Web Token

  • JSON 포맷을 이용한 Web Token

  • Claim based Token

  • 두 개체에서 JSON 객체를 이용해 Self-contained
    방식으로 정보를 안전한게 전달 

  • 회원 인증, 정보 전달에 주로 사용

  • RFC 7519

Web Token ?

Web Token 의 필요성

  • CSRF

  • CORS

  • Not Only Web, Mobile

  • Session

  • Scalability

  • REST API

Why ?

Now ?

  • Cookie?

  • Cookie??

  • Cookie???!

Type of Authorization

Cookie - Client Side Storage

  • 문자열 그대로 통신

  • 위변조 가능

  • XSS

  • Spoofing

  • 작은 저장 공간, 4096bytes 이하

  • ...

Type of Authorization

Session - Server Side Auth

  • 서버의 부하

  • CORS

  • 확장성

Type of Authorization

Problem of Cookie-Session #1

  • Scalability

  • Session
    Synchronize

Type of Authorization

Problem of Cookie-Session #2

  • Overload

  • Synchronize
    Again!

Type of Authorization

Problem of Cookie-Session #3

  • Not only Web

  • Heterogeneous

Type of Authorization

Token base

  • Self-contained

{
  "id" : "hak",
  "role" : ["admin", "staff"],
  "group" : ["g1"]
}

JWT

Header

Payload

Signature

{
  "typ" : "JWT",
  "alg" : "HS256"
}

base64 encoded

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9

SHA256 algorithm  (Header . Payload) , secretkey

  • Reserved claims

  • Public claims

  • Private claims

{
  "iss" : "ryan",
  "exp" : "1482900013",
  "sub" : "userInfo"
}
{
  "name": "hak",
  "age" : 26,
}

JWT

Header

Payload

Signature

.

.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImhhayIsImlhdCI6MTQ4MjY1OTg5MSwiZXhwIjoxNDgzMjY0NjkxLCJpc3MiOiJyeWFuIiwic3ViIjoidXNlckluZm8ifQ.m_UEg5vrqwgEzAF_VYaErUmkbkyHCZGciyOHdA7Oqfg

Authorization: Bearer <token>

JWT

Client

Server

1. POST /login

2. Create Token with secret key

3. Return Token

4. Request With Token on Header

6. Response

5. Check Token Signature

Silver bullet?

Pros

Cons

  • Self-contained

  • Not Server based

  • Stateless

  • Scalability

  • Self-contained

  • Token Size

  • Non-encryption
    Payload Claim Set

  • Store Token

  • Force Token expiration

Conclusion

HTTP

RESTful

Scalability

Stateless

JWT