Do you really
know JWT?
About me
Karim Pinchon
- Backend developer
- @kpn13
- https://blog.karimpinchon.com
- https://slides.com/kpn13
Some
basics
Token
What is a token?
- string
- authentication
- authorization
- ...
What does it look like?
What is it for?
JSON Web Token
https://jwt.io/
A simple string?
Reference
Value
JSON Web Token
"JOT"
The suggested pronunciation of JWT is the same as the English word "jot".
RFC 7519
Cryptography
What is cryptography?
- confidentiality
- authenticity
- integrity
- non repudiation
- ...
Digital signature
- integrity
- authenticity
- non-repudiation
Encryption
- confidentiality
Hash
- integrity
MAC / HMAC
- integrity
- authenticity
Encoding
- character registry
What does it look like?
jwt.io
token.dev
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkFGVVBEYXkgTGlsbGUvUmVubmVzIDIwMjEiLCJleHAiOjE2MjIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU
JSON Web Token (JWT)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkFGVVBEYXkgTGlsbGUvUmVubmVzIDIwMjEiLCJleHAiOjE2MjIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU
JSON Web Token (JWT)
{
"alg": "HS256",
"typ": "JWT"
}
{
"iss": "my server",
"sub": "1234567890",
"name": "Karim PINCHON",
"iat": 1619862475,
"aud": "Voxxed Days CERN 2024",
"exp": 1622246399,
"jti": "7a365dd0-7bc7-4894-bb09-771ea152cc55"
}
HMACSHA256( base64UrlEncode( ) + "." + base64UrlEncode(payload), MY_SECRET)
header
payload
.
.
header
signature
{
"payload":"ewogICJpc3MiOiAibXkgc2VydmVyIiwKICAic3ViIjogIjEyMzQ1Njc4OTAiLAogICJuYW1lIjogIkthcmltIFBJTkNIT04iLAogICJpYXQiOiAxNjE5ODYyNDc1LAogICJhdWQiOiAiQUZVUERheSBMaWxsZS9SZW5uZXMgMjAyMSIsCiAgImV4cCI6IDE2MjIyNDYzOTksCiAgImp0aSI6ICI3YTM2NWRkMC03YmM3LTQ4OTQtYmIwOS03NzFlYTE1MmNjNTUiCn0K",
"protected":"eyJhbGciOiJSUzI1NiJ9",
"signature":"ZbJXgzuYVCQCqoUxa5OtWRqmsl2S3Pe-29P19KacZgXlymwi-G-w6n-dnZObTPbheJbnlbptvv8yWO_pEqnohZZXH_c7Sd5sEm5k58-6GqG1FE13Q2CmWA44V91YbHA0rpMhiA1GNxVHIdNpW9wNkzEM3aqbJ9sdhix2RsbS3ofBWQdyaFSDrazWWCAK17ghI5KlUK_KQWNlXDZd8dn7VMNGBRuA5N4erfftG6i-OtFODYR_R1Eb0ltGBYOZamLOxtwR8PR40vjLGtQwJdp8CxdKXKHvrzahRA6k3YRYT2U8dzCsDPYFuzUAZgiSZ5JEG5favYWQsiyg84wF35jIdA"
}JSON serialization format
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkRldmZlc3QgU3RvY2tob2xtIDIwMjMiLCJleHAiOjE3NDIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.
Unsecured token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU
Detached payload token
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0..
Unsecured token with detached payload
Focus on the header
{
"typ":"JWT",
"alg":"HS256",
"jku":"https://key.service.com/keys.json",
"jwk":"...",
"kid":"ebb58a6d-0c84-4b5e-aac3-f5edc600cd77",
"x5u":"https://key.service.com/keys.pem",
"x5c":"...",
"x5t":"bcb0923eacb242cf0e69e626cd7ca2fc3426fae0",
"x5t#S256":"dbb821587583647e905b94764c86e",
"cty":"jwk+json",
"crit":["exp"]
}Header
Focus on
the payload
"Registered claims"
{
"iss":"token issuer",
"aud":"token audience",
"sub":"token subject",
"iat":"token issued date",
"nbf":"token not valid before",
"exp":"token expiration date",
"jti":"token unique identifier"
}"Public claims"
https://www.iana.org/assignments/jwt/jwt.xhtml
"Private claims"
JOSE
JOSE
Javascript Object Signing and Encryption
JSON Web Token
- RFC 7519
- "claims" between 2 parts
JSON Web Signature
- RFC 7515
- signed token
JSON Web Encryption
- RFC 7516
- encrypted token
JSON Web Algorithms
- RFC 7518
- algorithms
JSON Web Key
- RFC 7517
- keys
Take a look at
JWE
JSON Web Encryption (JWE)
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.uWmje_-Y3GF2nzjLzPopD17yHB7WBDrQgPeE011dhep40Hg4sE6-ZbqBgc4K4cwfbsXU-ZwTY5b6RiHa8clNtZZW2_Qm1Mbu8jcXs-84OrL9n9t7CgdTBd1lGp8e5j6bAxBJTjwdOWO6Cz492DVAxxNNMyuV0UIJsgEUo8b5IpLD4j2VvOgE_V8FSMuifEsq13OKORjfQ2wApIZDw1QAhXQ9GLx08Nl-0umEcaiXH8f36Pqvt4dRwK6tSIgSMht3qAXNCtBBFQS8fyffu1KyZ8_11gWlQdeisPhKbDGEDBNd2SAN2-lQxrcCBmyJ3oD0PCeS3sV8fvoM4eFRfzYhpg.lI2L7mB4nXr4Lnsk.pkdYMTeQUjmBd5kGUnLL72n4ztIQaotAsy1MQj7180sMkGzNwq9n8mI-1bhpavxgAczRhGfKXSmHfHsF3curt10ClMZOsHOJ8sP93lura_5pU7ZYB0V2stupb6a8IiWWYOdASpjtsKr0VpKRO_AuiaRGC1WZdlhWHnptIP78bkG2P7hV57ht3W-upjIErnRtEY29Vt7ddu-r983l8MLw2-8-jb31LxgJYS2Zkr7eDB-UmI5xygsEHLH_pdqOKqxJhO3U3LkWBlt7a1sH.SzRYiT21_Lv7ae8xxmmfRg
Compact serialization format
JSON Web Encryption (JWE)
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.uWmje_-Y3GF2nzjLzPopD17yHB7WBDrQgPeE011dhep40Hg4sE6-ZbqBgc4K4cwfbsXU-ZwTY5b6RiHa8clNtZZW2_Qm1Mbu8jcXs-84OrL9n9t7CgdTBd1lGp8e5j6bAxBJTjwdOWO6Cz492DVAxxNNMyuV0UIJsgEUo8b5IpLD4j2VvOgE_V8FSMuifEsq13OKORjfQ2wApIZDw1QAhXQ9GLx08Nl-0umEcaiXH8f36Pqvt4dRwK6tSIgSMht3qAXNCtBBFQS8fyffu1KyZ8_11gWlQdeisPhKbDGEDBNd2SAN2-lQxrcCBmyJ3oD0PCeS3sV8fvoM4eFRfzYhpg.lI2L7mB4nXr4Lnsk.pkdYMTeQUjmBd5kGUnLL72n4ztIQaotAsy1MQj7180sMkGzNwq9n8mI-1bhpavxgAczRhGfKXSmHfHsF3curt10ClMZOsHOJ8sP93lura_5pU7ZYB0V2stupb6a8IiWWYOdASpjtsKr0VpKRO_AuiaRGC1WZdlhWHnptIP78bkG2P7hV57ht3W-upjIErnRtEY29Vt7ddu-r983l8MLw2-8-jb31LxgJYS2Zkr7eDB-UmI5xygsEHLH_pdqOKqxJhO3U3LkWBlt7a1sH.SzRYiT21_Lv7ae8xxmmfRg
Compact serialization format
JSON Web Encryption (JWE)
Compact serialization format
BASE64URL(UTF8(JWE Protected Header)). BASE64URL(JWE Encrypted Key). BASE64URL(JWE Initialization Vector). BASE64URL(JWE Ciphertext). BASE64URL(JWE Authentication Tag)
{
"protected":"eyJhbGciOiJS...hHQ00ifQ",
"encrypted_key":"uWmjefvoM4eFRfzYhpg",
"iv":"lI2L7mB4nXr4Lnsk",
"ciphertext":"pkdYMTeQUjm...a1sH",
"tag":"SzRYiT21_Lv7ae8xxmmfRg"
}JSON Web Encryption (JWE)
JSON serialization format
JSON Web Encryption (JWE)
Nested token
First sign, then encrypt
JSON Web Encryption (JWE)
What PHP implementation?
JSON Web Encryption (JWE)
https://web-token.spomky-labs.com/
And so one...
Key management
JSON Web Key
{
"alg":"A128KW",
"kty":"oct",
"k":"GawgguFyGrWKav7AX4VKUg"
}Symmetric key representation example
JSON Web Key
{
"keys":
[
{
"kty":"oct",
"alg":"A128KW",
"k":"GawgguFyGrWKav7AX4VKUg"
},
{
"kty":"oct",
"k":"AyM1SysPpbyDfgCAow",
"kid":"8771e475-3f88-42e9-86dc-6cc50436720d"
}
]
}Symmetric key set representation example
{
"alg": "HS256",
"type": "JWT",
"kid": "6d3db68d-5867-458d-921b-1c2426ef78b4"
}Key id use case example
JSON Web Key
JSON Web Key
{
"alg": "RS256",
"x5u": "https://key.service.com/key.pem"
}X509 certificate example
JSON Web Key
{
"alg": "HS256",
"type": "JWT",
"kid": "6d3db68d-5867-458d-921b-1c2426ef78b4",
"jku": "https://key.service.com/keys.json"
}JWK set URL example
And so one...
What it's for?
API token
OAuth2
OpenID Connect
"Stateless session"
Custom usecase
What
about vulnerabilities?
Unsecured token
{
"alg": "none",
"type": "JWT"
}Header
Asymmetric to symmetric
Brute force
Modify encrypted data
Substitution
JWT paradox
Some advices
Secret
Don't accept everything
Validate
claims
Protect against injection
Use wellknown library
Don't trust the header
Choose asymmetric
Don't fight for revocation
About
privacy
JWS data are clear, so be careful
Don't log JWT
Put only required and sufficient data
Which alternatives?
Macaroons
"Cookies with Contextual Caveats for Decentralized Authorization in the Cloud"
(unofficial picture...)
CleverCloud/biscuit
"authentication and authorization token for microservices architectures"
paragonie/paseto
Platform-Agnostic Security Tokens
It's the end!
Let's summarize
- JWT is a little part of JOSE
- JWS and JWE are JWT implementations
- JWT, JWS, JWE, JWA, JWK
- Be sure to use it securely!
https://slides.com/kpn13
Thank you
@kpn13
https://blog.karimpinchon.com
Do you really know JWT?
By Karim PINCHON
