Let’s Talk About JWT

Hello!

Disclaimer

@jesstemporal

jesstemporal.com

"Jot"

@jesstemporal

jesstemporal.com

JWT

JSON Object Signing and Encryption - JOSE

@jesstemporal

jesstemporal.com

RFC 7519

@jesstemporal

jesstemporal.com

Usually is a standardized string that represents information

@jesstemporal

jesstemporal.com

JSON Web Token

@jesstemporal

jesstemporal.com

JSON Web Token

@jesstemporal

jesstemporal.com

JSON Web Token

@jesstemporal

jesstemporal.com

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc

{
  "alg": "HS256",
  "typ": "JWT"
}

The header

@jesstemporal

jesstemporal.com

{
  "sub": "1234567890",
  "given_name": "Jessica",
  "family_name": "Temporal",
  "preferred_username": "jesstemporal",
  "iat": 1516239022,
  "exp": 1552305710
}

The Payload

@jesstemporal

jesstemporal.com

{
  "sub": "1234567890",
  "iss": "https://jtemporal.com",
  "iat": 1516239022,
  "exp": 1552305710
}

Reserved claims

@jesstemporal

jesstemporal.com

{
  "given_name": "Jessica",
  "family_name": "Temporal",
  "preferred_username": "jesstemporal"
}

Public claims

@jesstemporal

jesstemporal.com

{
  "anything": "you want",
  "really": "anything"
}

Private claims

@jesstemporal

jesstemporal.com

Keep it small,

only relevant data

@jesstemporal

jesstemporal.com

Don't put sensitive data in the payload

@jesstemporal

jesstemporal.com

HMACSHA256(
    encodeBase64(header) + "." +
    encodeBase64(payload),
    "your-256-bit-secret"
)

The Signature

@jesstemporal

jesstemporal.com

HMACSHA256(
    encodeBase64(header) + "." +
    encodeBase64(payload),
    "nPilVwFjcF0v5NL5YT1xsiwRJCGqM1do"
)

The Signature

@jesstemporal

jesstemporal.com

Symmetrical algorithm

@jesstemporal

jesstemporal.com

Asymmetrical algorithm

@jesstemporal

jesstemporal.com

JSON Web Key

@jesstemporal

jesstemporal.com

RFC 7517

@jesstemporal

jesstemporal.com

JWK

@jesstemporal

jesstemporal.com

{
  "keys": [{
     "alg": "RS256",
     "kty": "RSA",
     "use": "sig",
     "n": "uEOPrkjGKxE...YIwS5ZoDQ",
     "e": "AQAB",
     "kid": "n6OFo...9cl9",
     "x5t": "ET...rQA",
     "x5c": ["MIIDDTCCAf...OaeyleoS0="]
  }]
}

Create a JWT

@jesstemporal

jesstemporal.com

{
  "alg": "HS256",
  "typ": "JWT"
}

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Header

{
  "sub": "1234567890",
  "given_name": "Jessica",
  "family_name": "Temporal",
  "preferred_username": "jesstemporal",
  "iat": 1516239022,
  "exp": 1552305710
}

Payload

eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9

Payload

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Payload

Signature

Header

HMACSHA256(
    encodeBase64(header) + "." +
    encodeBase64(payload),
    "your-256-bit-secret"
)
eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Payload

Signature

Header

LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc
eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc

jesstemporal.com

@jesstemporal

JWT

Where to find JWTs?

@jesstemporal

jesstemporal.com

Access token

@jesstemporal

jesstemporal.com

RFC 9068

@jesstemporal

jesstemporal.com

ID token

@jesstemporal

jesstemporal.com

 Be safer with JWTs

@jesstemporal

jesstemporal.com

 Don't store JWTs in local storage

@jesstemporal

jesstemporal.com

 Don't verify JWTs in the front end

@jesstemporal

jesstemporal.com

 Don't put sensitive data in the JWT

@jesstemporal

jesstemporal.com

 Don't put sensitive data in the JWT

@jesstemporal

jwt.io

@jesstemporal

See you soon!

Let’s Talk About JWT

By Jessica Temporal

Let’s Talk About JWT

JSON Web Tokens, or JWTs for short, are all over the web. They can be used to track bits of information about a user in a very compact way and can be used in APIs for authorization purposes. Join me and learn what JWTs are, what problems it resolves, and how you can use JWTs on your applications.

  • 893