Guillermo Rodas
Google Developer Expert in Web Technologies, Community Organizer, and Online Teacher.
JWT, JWS, JWE & JOSE
@glrodasz
Guillermo Rodas
Google Developer Expert in Web Technologies
Community Organizer and Online Teacher
https://guillermorodas.com
@glrodasz
You can Google me as well.
AGENDA
JSON Web Token
JSON Web Signature
JSON Web Encription
JSON Web Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
{
"alg": "HS256",
"typ": "JWT",
"kid": "abc123"
}
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
your-256-bit-secret
)
eyJhb(...) . eyJzdWIi(...) . SflKxwRJS(...)
Compact serialization
JOSE Header
{
"alg": "HS256",
"typ": "JWT"
"kid": "abc123"
}
JOSE stands for Javascript Object Signing and Encryption
Also, it’s the name of the IETF working group, which works on standardizing the representation of integrity-protected data using JSON data structures.
A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself.
Either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
JOSE Header
{
"alg": "HS256",
"typ": "JWT"
"kid": "abc123"
}
JWT
JWS
JWS
JWT Claim Set
{
"sub": "1234567890",
"iat": 1516239022
"name": "John Doe",
}
Signature
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
your-256-bit-secret
)
HS256 (HMAC with SHA-256) is a symmetric algorithm, with only one (secret) key that is shared between the two parties.
RS256 (RSA Signature with SHA-256) is an asymmetric algorithm, and it uses a public/private key pair: the identity provider has a private (secret) key used to generate the signature, and the consumer of the JWT gets a public key to validate the signature.
Serialization
A signed or an encrypted message can be serialized in two ways by following the JWS or JWE specification:
the JWS/JWE compact serialization and the JWS/JWE JSON serialization.
JWS compact serialization represents a signed JWT as a compact URL-safe string.
JWS Compact Serialization
JWS JSON Serialization
JWE
(JSON Web Encryption)
The JWE (JSON Web Encryption) specification standardizes the way to represent an encrypted content in a JSON-based data structure.
JWE Compact Serialization
With the JWE compact serialization, a JWE token is built with five key components, each separated by a period.
JWE JSON Serialization
Summary
JWT is used to transport user identity/entitlements between interested parties in a secured manner.
JWS and JWE are instances of the JWT — when used compact serialization.
JWS and JWE can be serialized using either the compact serialization or JSON serialization.
Workshop
function clean64(text) {
return text
.replace(/=/g, "")
.replace(/\+/g, "-")
.replace(/\//g, "_")
}
function to64(text) {
return Buffer
.from(text,"utf8")
.toString("base64")
}
function url64(text) {
return clean64(to64(text))
}const crypto = require("crypto")
const header = {
typ: "JWT",
alg: "HS256"
}
const payload = { sub: "abc"}
const h = url64(JSON.stringify(header))
const p = url64(JSON.stringify(payload))
const s = crypto
.createHmac("sha256", "secret")
.update(`${h}.${p}`)
.digest("base64")
console.log(`${h}.${p}.${clean64(s)}`)
JWT, JWS, JWE & JOSE
By Guillermo Rodas
JWT, JWS, JWE & JOSE
A presentation about what is JWT, JWS, JWE and JOSE
