Let’s Talk About JWT

Hello!

Disclaimer

@jesstemporal

jesstemporal.com

"Jot"

@jesstemporal

jesstemporal.com

JWT

JSON Object Signing and Encryption - JOSE

@jesstemporal

jesstemporal.com

RFC 7519

@jesstemporal

jesstemporal.com

Usually is a standardized string that represents information

@jesstemporal

jesstemporal.com

JSON Web Token

@jesstemporal

jesstemporal.com

JSON Web Token

@jesstemporal

jesstemporal.com

JSON Web Token

@jesstemporal

jesstemporal.com

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc

{
  "alg": "HS256",
  "typ": "JWT"
}

The header

@jesstemporal

jesstemporal.com

{
  "sub": "1234567890",
  "given_name": "Jessica",
  "family_name": "Temporal",
  "preferred_username": "jesstemporal",
  "iat": 1516239022,
  "exp": 1552305710
}

The Payload

@jesstemporal

jesstemporal.com

{
  "sub": "1234567890",
  "iss": "https://jtemporal.com",
  "iat": 1516239022,
  "exp": 1552305710
}

Reserved claims

@jesstemporal

jesstemporal.com

{
  "given_name": "Jessica",
  "family_name": "Temporal",
  "preferred_username": "jesstemporal"
}

Public claims

@jesstemporal

jesstemporal.com

{
  "anything": "you want",
  "really": "anything"
}

Private claims

@jesstemporal

jesstemporal.com

Keep it small,

only relevant data

@jesstemporal

jesstemporal.com

Don't put sensitive data in the payload

@jesstemporal

jesstemporal.com

HMACSHA256(
    encodeBase64(header) + "." +
    encodeBase64(payload),
    "your-256-bit-secret"
)

The Signature

@jesstemporal

jesstemporal.com

HMACSHA256(
    encodeBase64(header) + "." +
    encodeBase64(payload),
    "nPilVwFjcF0v5NL5YT1xsiwRJCGqM1do"
)

The Signature

@jesstemporal

jesstemporal.com

Symmetrical algorithm

@jesstemporal

jesstemporal.com

Asymmetrical algorithm

@jesstemporal

jesstemporal.com

JSON Web Key

@jesstemporal

jesstemporal.com

RFC 7517

@jesstemporal

jesstemporal.com

JWK

@jesstemporal

jesstemporal.com

{
  "keys": [{
     "alg": "RS256",
     "kty": "RSA",
     "use": "sig",
     "n": "uEOPrkjGKxE...YIwS5ZoDQ",
     "e": "AQAB",
     "kid": "n6OFo...9cl9",
     "x5t": "ET...rQA",
     "x5c": ["MIIDDTCCAf...OaeyleoS0="]
  }]
}

Create a JWT

@jesstemporal

jesstemporal.com

{
  "alg": "HS256",
  "typ": "JWT"
}

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Header

{
  "sub": "1234567890",
  "given_name": "Jessica",
  "family_name": "Temporal",
  "preferred_username": "jesstemporal",
  "iat": 1516239022,
  "exp": 1552305710
}

Payload

eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9

Payload

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Payload

Signature

Header

HMACSHA256(
    encodeBase64(header) + "." +
    encodeBase64(payload),
    "your-256-bit-secret"
)
eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Payload

Signature

Header

LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc
eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZSI6Ikplc3NpY2EiLCJmYW1pbHlfbmFtZSI6IlRlbXBvcmFsIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamVzc3RlbXBvcmFsIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1NTIzMDU3MTB9.LmUNPW9fSAqVTGEEFW0yrsD9eooyRv_VPB3r6tCWkRc

jesstemporal.com

@jesstemporal

JWT

Where to find JWTs?

@jesstemporal

jesstemporal.com

Access token

@jesstemporal

jesstemporal.com

RFC 9068

@jesstemporal

jesstemporal.com

ID token

@jesstemporal

jesstemporal.com

 Be safer with JWTs

@jesstemporal

jesstemporal.com

 Don't store JWTs in local storage

@jesstemporal

jesstemporal.com

 Don't verify JWTs in the front end

@jesstemporal

jesstemporal.com

 Don't put sensitive data in the JWT

@jesstemporal

jesstemporal.com

 Don't put sensitive data in the JWT

@jesstemporal

jwt.io

@jesstemporal

See you soon!

Made with Slides.com