Guillermo Rodas
Google Developer Expert in Web Technologies, Community Organizer, and Online Teacher.
@glrodasz
Google Developer Expert in Web Technologies
Community Organizer and Online Teacher
https://guillermorodas.com
@glrodasz
You can Google me as well.
JSON Web Token
JSON Web Signature
JSON Web Encription
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
{
"alg": "HS256",
"typ": "JWT",
"kid": "abc123"
}
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
your-256-bit-secret
)
eyJhb(...) . eyJzdWIi(...) . SflKxwRJS(...)
{
"alg": "HS256",
"typ": "JWT"
"kid": "abc123"
}
{
"alg": "HS256",
"typ": "JWT"
"kid": "abc123"
}
JWT
JWS
JWS
{
"sub": "1234567890",
"iat": 1516239022
"name": "John Doe",
}
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
your-256-bit-secret
)
HS256 (HMAC with SHA-256) is a symmetric algorithm, with only one (secret) key that is shared between the two parties.
RS256 (RSA Signature with SHA-256) is an asymmetric algorithm, and it uses a public/private key pair: the identity provider has a private (secret) key used to generate the signature, and the consumer of the JWT gets a public key to validate the signature.
A signed or an encrypted message can be serialized in two ways by following the JWS or JWE specification:
the JWS/JWE compact serialization and the JWS/JWE JSON serialization.
JWS compact serialization represents a signed JWT as a compact URL-safe string.
The JWE (JSON Web Encryption) specification standardizes the way to represent an encrypted content in a JSON-based data structure.
With the JWE compact serialization, a JWE token is built with five key components, each separated by a period.
JWT is used to transport user identity/entitlements between interested parties in a secured manner.
JWS and JWE are instances of the JWT — when used compact serialization.
JWS and JWE can be serialized using either the compact serialization or JSON serialization.
Workshop
function clean64(text) {
return text
.replace(/=/g, "")
.replace(/\+/g, "-")
.replace(/\//g, "_")
}
function to64(text) {
return Buffer
.from(text,"utf8")
.toString("base64")
}
function url64(text) {
return clean64(to64(text))
}
const crypto = require("crypto")
const header = {
typ: "JWT",
alg: "HS256"
}
const payload = { sub: "abc"}
const h = url64(JSON.stringify(header))
const p = url64(JSON.stringify(payload))
const s = crypto
.createHmac("sha256", "secret")
.update(`${h}.${p}`)
.digest("base64")
console.log(`${h}.${p}.${clean64(s)}`)
By Guillermo Rodas
A presentation about what is JWT, JWS, JWE and JOSE
Google Developer Expert in Web Technologies, Community Organizer, and Online Teacher.