Let’s Talk About JWT
Hello!
Disclaimer
@jesstemporal
jesstemporal.com
"Jot"
@jesstemporal
jesstemporal.com
JWT
JSON Object Signing and Encryption - JOSE
@jesstemporal
jesstemporal.com
RFC 7519
@jesstemporal
jesstemporal.com
Usually is a standardized string that represents information
@jesstemporal
jesstemporal.com
JSON Web Token
@jesstemporal
jesstemporal.com
JSON Web Token
@jesstemporal
jesstemporal.com
JSON Web Token
@jesstemporal
jesstemporal.com
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc
{
"alg": "HS256",
"typ": "JWT"
}
The header
@jesstemporal
jesstemporal.com
{
"sub": "1234567890",
"given_name": "Jessica",
"family_name": "Temporal",
"preferred_username": "jesstemporal",
"iat": 1516239022,
"exp": 1552305710
}
The Payload
@jesstemporal
jesstemporal.com
{
"sub": "1234567890",
"iss": "https://jtemporal.com",
"iat": 1516239022,
"exp": 1552305710
}
Reserved claims
@jesstemporal
jesstemporal.com
{
"given_name": "Jessica",
"family_name": "Temporal",
"preferred_username": "jesstemporal"
}
Public claims
@jesstemporal
jesstemporal.com
{
"anything": "you want",
"really": "anything"
}
Private claims
@jesstemporal
jesstemporal.com
Keep it small,
only relevant data
@jesstemporal
jesstemporal.com
Don't put sensitive data in the payload
@jesstemporal
jesstemporal.com
HMACSHA256(
encodeBase64(header) + "." +
encodeBase64(payload),
"your-256-bit-secret"
)
The Signature
@jesstemporal
jesstemporal.com
HMACSHA256(
encodeBase64(header) + "." +
encodeBase64(payload),
"nPilVwFjcF0v5NL5YT1xsiwRJCGqM1do"
)
The Signature
@jesstemporal
jesstemporal.com
Symmetrical algorithm
@jesstemporal
jesstemporal.com
Asymmetrical algorithm
@jesstemporal
jesstemporal.com
JSON Web Key
@jesstemporal
jesstemporal.com
RFC 7517
@jesstemporal
jesstemporal.com
JWK
@jesstemporal
jesstemporal.com
{
"keys": [{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"n": "uEOPrkjGKxE...YIwS5ZoDQ",
"e": "AQAB",
"kid": "n6OFo...9cl9",
"x5t": "ET...rQA",
"x5c": ["MIIDDTCCAf...OaeyleoS0="]
}]
}
Create a JWT
@jesstemporal
jesstemporal.com
{
"alg": "HS256",
"typ": "JWT"
}
Header
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Header
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Header
{
"sub": "1234567890",
"given_name": "Jessica",
"family_name": "Temporal",
"preferred_username": "jesstemporal",
"iat": 1516239022,
"exp": 1552305710
}
Payload
eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9
Payload
Header
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload
Signature
Header
HMACSHA256(
encodeBase64(header) + "." +
encodeBase64(payload),
"your-256-bit-secret"
)
eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload
Signature
Header
LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc
eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc
jesstemporal.com
@jesstemporal
JWT
Where to find JWTs?
@jesstemporal
jesstemporal.com
Access token
@jesstemporal
jesstemporal.com
RFC 9068
@jesstemporal
jesstemporal.com
ID token
@jesstemporal
jesstemporal.com
Be safer with JWTs
@jesstemporal
jesstemporal.com
Don't store JWTs in local storage
@jesstemporal
jesstemporal.com
Don't verify JWTs in the front end
@jesstemporal
jesstemporal.com
Don't put sensitive data in the JWT
@jesstemporal
jesstemporal.com
Don't put sensitive data in the JWT
@jesstemporal
jwt.io
@jesstemporal
See you soon!
Let’s Talk About JWT
By Jessica Temporal
Let’s Talk About JWT
JSON Web Tokens, or JWTs for short, are all over the web. They can be used to track bits of information about a user in a very compact way and can be used in APIs for authorization purposes. Join me and learn what JWTs are, what problems it resolves, and how you can use JWTs on your applications.
- 893