Do you really
know JWT?
About me
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8572710/pasted-from-clipboard.png)
Karim Pinchon
- Backend developer
- @kpn13
- https://blog.karimpinchon.com
- https://slides.com/kpn13
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/7731154/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9849002/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9870225/PngItem_175427.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10276730/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8546483/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10276786/projector-g81887176f_640.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10276797/chat-g7b81cca6c_1280.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10276801/bash-gd35656ef8_1280.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10925125/french-flag-1332898_1280.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/11069796/Bluesky_butterfly-logo.svg.png)
Some
basics
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8570880/pasted-from-clipboard.png)
Token
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9413282/pasted-from-clipboard.png)
What is a token?
- string
- authentication
- authorization
- ...
What does it look like?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8542016/pasted-from-clipboard.png)
JSON Web Token
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8542168/pasted-from-clipboard.png)
https://jwt.io/
A simple string?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8542093/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8542096/pasted-from-clipboard.png)
Reference
Value
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8542105/pasted-from-clipboard.png)
JSON Web Token
"JOT"
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9413257/pasted-from-clipboard.png)
The suggested pronunciation of JWT is the same as the English word "jot".
RFC 7519
Cryptography
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9413286/pasted-from-clipboard.png)
What is cryptography?
- confidentiality
- authenticity
- integrity
- non repudiation
- ...
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9413321/pasted-from-clipboard.png)
Digital signature
- integrity
- authenticity
- non-repudiation
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8542986/pasted-from-clipboard.png)
Encryption
- confidentiality
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8542992/pasted-from-clipboard.png)
Hash
- integrity
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9413372/pasted-from-clipboard.png)
MAC / HMAC
- integrity
- authenticity
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9458214/pngegg.png)
Encoding
- character registry
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9413452/pasted-from-clipboard.png)
What does it look like?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8570882/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8572785/pasted-from-clipboard.png)
jwt.io
token.dev
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9412914/pasted-from-clipboard.png)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkFGVVBEYXkgTGlsbGUvUmVubmVzIDIwMjEiLCJleHAiOjE2MjIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU
JSON Web Token (JWT)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkFGVVBEYXkgTGlsbGUvUmVubmVzIDIwMjEiLCJleHAiOjE2MjIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU
JSON Web Token (JWT)
{
"alg": "HS256",
"typ": "JWT"
}
{
"iss": "my server",
"sub": "1234567890",
"name": "Karim PINCHON",
"iat": 1619862475,
"aud": "Voxxed Days CERN 2024",
"exp": 1622246399,
"jti": "7a365dd0-7bc7-4894-bb09-771ea152cc55"
}
HMACSHA256( base64UrlEncode( ) + "." + base64UrlEncode(payload), MY_SECRET)
header
payload
.
.
header
signature
{
"payload":"ewogICJpc3MiOiAibXkgc2VydmVyIiwKICAic3ViIjogIjEyMzQ1Njc4OTAiLAogICJuYW1lIjogIkthcmltIFBJTkNIT04iLAogICJpYXQiOiAxNjE5ODYyNDc1LAogICJhdWQiOiAiQUZVUERheSBMaWxsZS9SZW5uZXMgMjAyMSIsCiAgImV4cCI6IDE2MjIyNDYzOTksCiAgImp0aSI6ICI3YTM2NWRkMC03YmM3LTQ4OTQtYmIwOS03NzFlYTE1MmNjNTUiCn0K",
"protected":"eyJhbGciOiJSUzI1NiJ9",
"signature":"ZbJXgzuYVCQCqoUxa5OtWRqmsl2S3Pe-29P19KacZgXlymwi-G-w6n-dnZObTPbheJbnlbptvv8yWO_pEqnohZZXH_c7Sd5sEm5k58-6GqG1FE13Q2CmWA44V91YbHA0rpMhiA1GNxVHIdNpW9wNkzEM3aqbJ9sdhix2RsbS3ofBWQdyaFSDrazWWCAK17ghI5KlUK_KQWNlXDZd8dn7VMNGBRuA5N4erfftG6i-OtFODYR_R1Eb0ltGBYOZamLOxtwR8PR40vjLGtQwJdp8CxdKXKHvrzahRA6k3YRYT2U8dzCsDPYFuzUAZgiSZ5JEG5favYWQsiyg84wF35jIdA"
}
JSON serialization format
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkRldmZlc3QgU3RvY2tob2xtIDIwMjMiLCJleHAiOjE3NDIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.
Unsecured token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU
Detached payload token
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0..
Unsecured token with detached payload
Focus on the header
{
"typ":"JWT",
"alg":"HS256",
"jku":"https://key.service.com/keys.json",
"jwk":"...",
"kid":"ebb58a6d-0c84-4b5e-aac3-f5edc600cd77",
"x5u":"https://key.service.com/keys.pem",
"x5c":"...",
"x5t":"bcb0923eacb242cf0e69e626cd7ca2fc3426fae0",
"x5t#S256":"dbb821587583647e905b94764c86e",
"cty":"jwk+json",
"crit":["exp"]
}
Header
Focus on
the payload
"Registered claims"
{
"iss":"token issuer",
"aud":"token audience",
"sub":"token subject",
"iat":"token issued date",
"nbf":"token not valid before",
"exp":"token expiration date",
"jti":"token unique identifier"
}
"Public claims"
https://www.iana.org/assignments/jwt/jwt.xhtml
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8609298/pasted-from-clipboard.png)
"Private claims"
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8544012/pasted-from-clipboard.png)
JOSE
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10895302/pasted-from-clipboard.png)
JOSE
Javascript Object Signing and Encryption
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9459216/pasted-from-clipboard.png)
JSON Web Token
- RFC 7519
- "claims" between 2 parts
JSON Web Signature
- RFC 7515
- signed token
JSON Web Encryption
- RFC 7516
- encrypted token
JSON Web Algorithms
- RFC 7518
- algorithms
JSON Web Key
- RFC 7517
- keys
Take a look at
JWE
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8578947/pasted-from-clipboard.png)
JSON Web Encryption (JWE)
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.uWmje_-Y3GF2nzjLzPopD17yHB7WBDrQgPeE011dhep40Hg4sE6-ZbqBgc4K4cwfbsXU-ZwTY5b6RiHa8clNtZZW2_Qm1Mbu8jcXs-84OrL9n9t7CgdTBd1lGp8e5j6bAxBJTjwdOWO6Cz492DVAxxNNMyuV0UIJsgEUo8b5IpLD4j2VvOgE_V8FSMuifEsq13OKORjfQ2wApIZDw1QAhXQ9GLx08Nl-0umEcaiXH8f36Pqvt4dRwK6tSIgSMht3qAXNCtBBFQS8fyffu1KyZ8_11gWlQdeisPhKbDGEDBNd2SAN2-lQxrcCBmyJ3oD0PCeS3sV8fvoM4eFRfzYhpg.lI2L7mB4nXr4Lnsk.pkdYMTeQUjmBd5kGUnLL72n4ztIQaotAsy1MQj7180sMkGzNwq9n8mI-1bhpavxgAczRhGfKXSmHfHsF3curt10ClMZOsHOJ8sP93lura_5pU7ZYB0V2stupb6a8IiWWYOdASpjtsKr0VpKRO_AuiaRGC1WZdlhWHnptIP78bkG2P7hV57ht3W-upjIErnRtEY29Vt7ddu-r983l8MLw2-8-jb31LxgJYS2Zkr7eDB-UmI5xygsEHLH_pdqOKqxJhO3U3LkWBlt7a1sH.SzRYiT21_Lv7ae8xxmmfRg
Compact serialization format
JSON Web Encryption (JWE)
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.uWmje_-Y3GF2nzjLzPopD17yHB7WBDrQgPeE011dhep40Hg4sE6-ZbqBgc4K4cwfbsXU-ZwTY5b6RiHa8clNtZZW2_Qm1Mbu8jcXs-84OrL9n9t7CgdTBd1lGp8e5j6bAxBJTjwdOWO6Cz492DVAxxNNMyuV0UIJsgEUo8b5IpLD4j2VvOgE_V8FSMuifEsq13OKORjfQ2wApIZDw1QAhXQ9GLx08Nl-0umEcaiXH8f36Pqvt4dRwK6tSIgSMht3qAXNCtBBFQS8fyffu1KyZ8_11gWlQdeisPhKbDGEDBNd2SAN2-lQxrcCBmyJ3oD0PCeS3sV8fvoM4eFRfzYhpg.lI2L7mB4nXr4Lnsk.pkdYMTeQUjmBd5kGUnLL72n4ztIQaotAsy1MQj7180sMkGzNwq9n8mI-1bhpavxgAczRhGfKXSmHfHsF3curt10ClMZOsHOJ8sP93lura_5pU7ZYB0V2stupb6a8IiWWYOdASpjtsKr0VpKRO_AuiaRGC1WZdlhWHnptIP78bkG2P7hV57ht3W-upjIErnRtEY29Vt7ddu-r983l8MLw2-8-jb31LxgJYS2Zkr7eDB-UmI5xygsEHLH_pdqOKqxJhO3U3LkWBlt7a1sH.SzRYiT21_Lv7ae8xxmmfRg
Compact serialization format
JSON Web Encryption (JWE)
Compact serialization format
BASE64URL(UTF8(JWE Protected Header)). BASE64URL(JWE Encrypted Key). BASE64URL(JWE Initialization Vector). BASE64URL(JWE Ciphertext). BASE64URL(JWE Authentication Tag)
{
"protected":"eyJhbGciOiJS...hHQ00ifQ",
"encrypted_key":"uWmjefvoM4eFRfzYhpg",
"iv":"lI2L7mB4nXr4Lnsk",
"ciphertext":"pkdYMTeQUjm...a1sH",
"tag":"SzRYiT21_Lv7ae8xxmmfRg"
}
JSON Web Encryption (JWE)
JSON serialization format
JSON Web Encryption (JWE)
Nested token
First sign, then encrypt
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/7732217/pasted-from-clipboard.png)
JSON Web Encryption (JWE)
What PHP implementation?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10309060/51895-john-travolta-acteurs-divers-cinema-international-multi-media.gif)
JSON Web Encryption (JWE)
https://web-token.spomky-labs.com/
![](https://media1.giphy.com/media/xoV4JZ3cBaSGngdxxl/giphy.gif)
And so one...
Key management
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8569362/pasted-from-clipboard.png)
JSON Web Key
{
"alg":"A128KW",
"kty":"oct",
"k":"GawgguFyGrWKav7AX4VKUg"
}
Symmetric key representation example
JSON Web Key
{
"keys":
[
{
"kty":"oct",
"alg":"A128KW",
"k":"GawgguFyGrWKav7AX4VKUg"
},
{
"kty":"oct",
"k":"AyM1SysPpbyDfgCAow",
"kid":"8771e475-3f88-42e9-86dc-6cc50436720d"
}
]
}
Symmetric key set representation example
{
"alg": "HS256",
"type": "JWT",
"kid": "6d3db68d-5867-458d-921b-1c2426ef78b4"
}
Key id use case example
JSON Web Key
JSON Web Key
{
"alg": "RS256",
"x5u": "https://key.service.com/key.pem"
}
X509 certificate example
JSON Web Key
{
"alg": "HS256",
"type": "JWT",
"kid": "6d3db68d-5867-458d-921b-1c2426ef78b4",
"jku": "https://key.service.com/keys.json"
}
JWK set URL example
And so one...
What it's for?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8572741/pasted-from-clipboard.png)
API token
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10902179/usb-157654_1280.png)
OAuth2
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8572759/pasted-from-clipboard.png)
OpenID Connect
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/7737370/pasted-from-clipboard.png)
"Stateless session"
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10902184/cart-148964_1280.png)
Custom usecase
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10902208/feel-free-3566550_1280.png)
What
about vulnerabilities?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8570866/pasted-from-clipboard.png)
Unsecured token
{
"alg": "none",
"type": "JWT"
}
Header
Asymmetric to symmetric
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8570484/pasted-from-clipboard.png)
Brute force
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8546522/pasted-from-clipboard.png)
Modify encrypted data
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9413581/pasted-from-clipboard.png)
Substitution
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9413729/pasted-from-clipboard.png)
JWT paradox
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8609166/kisspng-penrose-triangle-penrose-stairs-impossible-object-optical-illusion-5b27022c6d9cd5.814463391529283116449.png)
Some advices
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8570860/pasted-from-clipboard.png)
Secret
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10902165/vault-5013752_1280.png)
Don't accept everything
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8596784/pasted-from-clipboard.png)
Validate
claims
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8596803/pasted-from-clipboard.png)
Protect against injection
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/11069729/injection-1294131_1280.png)
Use wellknown library
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8596809/pasted-from-clipboard.png)
Don't trust the header
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10302985/warning-g376765460_640.png)
Choose asymmetric
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8596785/pasted-from-clipboard.png)
Don't fight for revocation
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8608317/pasted-from-clipboard.png)
About
privacy
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8571854/pasted-from-clipboard.png)
JWS data are clear, so be careful
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8596789/pasted-from-clipboard.png)
Don't log JWT
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8596793/pasted-from-clipboard.png)
Put only required and sufficient data
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8596813/pasted-from-clipboard.png)
Which alternatives?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8571849/pasted-from-clipboard.png)
Macaroons
"Cookies with Contextual Caveats for Decentralized Authorization in the Cloud"
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8571836/pasted-from-clipboard.png)
(unofficial picture...)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8571777/pasted-from-clipboard.png)
CleverCloud/biscuit
"authentication and authorization token for microservices architectures"
paragonie/paseto
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8571804/pasted-from-clipboard.png)
Platform-Agnostic Security Tokens
It's the end!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8571874/pasted-from-clipboard.png)
Let's summarize
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8608403/pasted-from-clipboard.png)
- JWT is a little part of JOSE
- JWS and JWE are JWT implementations
- JWT, JWS, JWE, JWA, JWK
- Be sure to use it securely!
https://slides.com/kpn13
Thank you
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10276786/projector-g81887176f_640.png)
@kpn13
https://blog.karimpinchon.com
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/7731154/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/9849002/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10276730/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/8546483/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/10276797/chat-g7b81cca6c_1280.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/11065627/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/11069791/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1434751/images/11069796/Bluesky_butterfly-logo.svg.png)
Do you really know JWT?
By Karim PINCHON
Do you really know JWT?
- 332