Do you really

know JWT?

About me

Karim Pinchon

  •    Backend developer
  •    @kpn13
  •    https://blog.karimpinchon.com
  •    https://slides.com/kpn13

Some

basics

Token

What is a token?

  • string
  • authentication
  • authorization
  • ...

What does it look like?

What is it for?

JSON Web Token

https://jwt.io/

A simple string?

Reference

Value

JSON Web Token

"JOT"

The suggested pronunciation of JWT is the same as the English word "jot".

RFC 7519

Cryptography

What is cryptography?

  • confidentiality
  • authenticity
  • integrity
  • non repudiation
  • ...

Digital signature

  • integrity
  • authenticity
  • non-repudiation

Encryption

  • confidentiality

Hash

  • integrity

MAC / HMAC

  • integrity
  • authenticity

Encoding

  • character registry

What does it look like?

jwt.io

token.dev

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkFGVVBEYXkgTGlsbGUvUmVubmVzIDIwMjEiLCJleHAiOjE2MjIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU

JSON Web Token (JWT)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkFGVVBEYXkgTGlsbGUvUmVubmVzIDIwMjEiLCJleHAiOjE2MjIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU

JSON Web Token (JWT)

{
  "alg": "HS256",
  "typ": "JWT"
}

{
  "iss": "my server",
  "sub": "1234567890",
  "name": "Karim PINCHON",
  "iat": 1619862475,
  "aud": "Voxxed Days CERN 2024",
  "exp": 1622246399,
  "jti": "7a365dd0-7bc7-4894-bb09-771ea152cc55"
}

HMACSHA256(
  base64UrlEncode(      ) + "." +
  base64UrlEncode(payload),
  MY_SECRET)

header

payload

.

.

header

signature

{
  "payload":"ewogICJpc3MiOiAibXkgc2VydmVyIiwKICAic3ViIjogIjEyMzQ1Njc4OTAiLAogICJuYW1lIjogIkthcmltIFBJTkNIT04iLAogICJpYXQiOiAxNjE5ODYyNDc1LAogICJhdWQiOiAiQUZVUERheSBMaWxsZS9SZW5uZXMgMjAyMSIsCiAgImV4cCI6IDE2MjIyNDYzOTksCiAgImp0aSI6ICI3YTM2NWRkMC03YmM3LTQ4OTQtYmIwOS03NzFlYTE1MmNjNTUiCn0K",
  "protected":"eyJhbGciOiJSUzI1NiJ9",
  "signature":"ZbJXgzuYVCQCqoUxa5OtWRqmsl2S3Pe-29P19KacZgXlymwi-G-w6n-dnZObTPbheJbnlbptvv8yWO_pEqnohZZXH_c7Sd5sEm5k58-6GqG1FE13Q2CmWA44V91YbHA0rpMhiA1GNxVHIdNpW9wNkzEM3aqbJ9sdhix2RsbS3ofBWQdyaFSDrazWWCAK17ghI5KlUK_KQWNlXDZd8dn7VMNGBRuA5N4erfftG6i-OtFODYR_R1Eb0ltGBYOZamLOxtwR8PR40vjLGtQwJdp8CxdKXKHvrzahRA6k3YRYT2U8dzCsDPYFuzUAZgiSZ5JEG5favYWQsiyg84wF35jIdA"
}

JSON serialization format

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkRldmZlc3QgU3RvY2tob2xtIDIwMjMiLCJleHAiOjE3NDIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.

Unsecured token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU

Detached payload token

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0..

Unsecured token with detached payload

Focus on the header

{
  "typ":"JWT",
  "alg":"HS256",
  "jku":"https://key.service.com/keys.json",
  "jwk":"...",
  "kid":"ebb58a6d-0c84-4b5e-aac3-f5edc600cd77",
  "x5u":"https://key.service.com/keys.pem",
  "x5c":"...",
  "x5t":"bcb0923eacb242cf0e69e626cd7ca2fc3426fae0",
  "x5t#S256":"dbb821587583647e905b94764c86e",
  "cty":"jwk+json",
  "crit":["exp"]
}

Header

Focus on

the payload

"Registered claims"

{
  "iss":"token issuer",
  "aud":"token audience",
  "sub":"token subject",
  "iat":"token issued date",
  "nbf":"token not valid before",
  "exp":"token expiration date",
  "jti":"token unique identifier"
}

"Public claims"

https://www.iana.org/assignments/jwt/jwt.xhtml

"Private claims"

JOSE

JOSE

Javascript Object Signing and Encryption

JSON Web Token

  • RFC 7519
  • "claims" between 2 parts

JSON Web Signature

  • RFC 7515
  • signed token

JSON Web Encryption

  • RFC 7516
  • encrypted token

JSON Web Algorithms

  • RFC 7518
  • algorithms

JSON Web Key

  • RFC 7517
  • keys

Take a look at

JWE

JSON Web Encryption (JWE)

eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.uWmje_-Y3GF2nzjLzPopD17yHB7WBDrQgPeE011dhep40Hg4sE6-ZbqBgc4K4cwfbsXU-ZwTY5b6RiHa8clNtZZW2_Qm1Mbu8jcXs-84OrL9n9t7CgdTBd1lGp8e5j6bAxBJTjwdOWO6Cz492DVAxxNNMyuV0UIJsgEUo8b5IpLD4j2VvOgE_V8FSMuifEsq13OKORjfQ2wApIZDw1QAhXQ9GLx08Nl-0umEcaiXH8f36Pqvt4dRwK6tSIgSMht3qAXNCtBBFQS8fyffu1KyZ8_11gWlQdeisPhKbDGEDBNd2SAN2-lQxrcCBmyJ3oD0PCeS3sV8fvoM4eFRfzYhpg.lI2L7mB4nXr4Lnsk.pkdYMTeQUjmBd5kGUnLL72n4ztIQaotAsy1MQj7180sMkGzNwq9n8mI-1bhpavxgAczRhGfKXSmHfHsF3curt10ClMZOsHOJ8sP93lura_5pU7ZYB0V2stupb6a8IiWWYOdASpjtsKr0VpKRO_AuiaRGC1WZdlhWHnptIP78bkG2P7hV57ht3W-upjIErnRtEY29Vt7ddu-r983l8MLw2-8-jb31LxgJYS2Zkr7eDB-UmI5xygsEHLH_pdqOKqxJhO3U3LkWBlt7a1sH.SzRYiT21_Lv7ae8xxmmfRg

Compact serialization format

JSON Web Encryption (JWE)

eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.uWmje_-Y3GF2nzjLzPopD17yHB7WBDrQgPeE011dhep40Hg4sE6-ZbqBgc4K4cwfbsXU-ZwTY5b6RiHa8clNtZZW2_Qm1Mbu8jcXs-84OrL9n9t7CgdTBd1lGp8e5j6bAxBJTjwdOWO6Cz492DVAxxNNMyuV0UIJsgEUo8b5IpLD4j2VvOgE_V8FSMuifEsq13OKORjfQ2wApIZDw1QAhXQ9GLx08Nl-0umEcaiXH8f36Pqvt4dRwK6tSIgSMht3qAXNCtBBFQS8fyffu1KyZ8_11gWlQdeisPhKbDGEDBNd2SAN2-lQxrcCBmyJ3oD0PCeS3sV8fvoM4eFRfzYhpg.lI2L7mB4nXr4Lnsk.pkdYMTeQUjmBd5kGUnLL72n4ztIQaotAsy1MQj7180sMkGzNwq9n8mI-1bhpavxgAczRhGfKXSmHfHsF3curt10ClMZOsHOJ8sP93lura_5pU7ZYB0V2stupb6a8IiWWYOdASpjtsKr0VpKRO_AuiaRGC1WZdlhWHnptIP78bkG2P7hV57ht3W-upjIErnRtEY29Vt7ddu-r983l8MLw2-8-jb31LxgJYS2Zkr7eDB-UmI5xygsEHLH_pdqOKqxJhO3U3LkWBlt7a1sH.SzRYiT21_Lv7ae8xxmmfRg

Compact serialization format

JSON Web Encryption (JWE)

Compact serialization format

BASE64URL(UTF8(JWE Protected Header)).
BASE64URL(JWE Encrypted Key).
BASE64URL(JWE Initialization Vector).
BASE64URL(JWE Ciphertext).
BASE64URL(JWE Authentication Tag)
{
   "protected":"eyJhbGciOiJS...hHQ00ifQ",
   "encrypted_key":"uWmjefvoM4eFRfzYhpg",
   "iv":"lI2L7mB4nXr4Lnsk",
   "ciphertext":"pkdYMTeQUjm...a1sH",
   "tag":"SzRYiT21_Lv7ae8xxmmfRg"
}

JSON Web Encryption (JWE)

JSON serialization format

JSON Web Encryption (JWE)

Nested token

First sign, then encrypt

JSON Web Encryption (JWE)

What PHP implementation?

JSON Web Encryption (JWE)

https://web-token.spomky-labs.com/

And so one...

Key management

JSON Web Key

{
  "alg":"A128KW",
  "kty":"oct",
  "k":"GawgguFyGrWKav7AX4VKUg"
}

Symmetric key representation example

JSON Web Key

{
  "keys":
  [
    {
      "kty":"oct",
      "alg":"A128KW",
      "k":"GawgguFyGrWKav7AX4VKUg"
    },
    {
      "kty":"oct",
      "k":"AyM1SysPpbyDfgCAow",
      "kid":"8771e475-3f88-42e9-86dc-6cc50436720d"
    }
  ]
}

Symmetric key set representation example

{
    "alg": "HS256",
    "type": "JWT",
    "kid": "6d3db68d-5867-458d-921b-1c2426ef78b4"
}

Key id use case example

JSON Web Key

JSON Web Key

{
  "alg": "RS256",
  "x5u": "https://key.service.com/key.pem"
}

X509 certificate example

JSON Web Key

{
    "alg": "HS256",
    "type": "JWT",
    "kid": "6d3db68d-5867-458d-921b-1c2426ef78b4",
    "jku": "https://key.service.com/keys.json"
}

JWK set URL example

And so one...

What it's for?

API token

OAuth2

OpenID Connect

"Stateless session"

Custom usecase

What

about vulnerabilities?

Unsecured token

{
    "alg": "none",
    "type": "JWT"
}

Header

Asymmetric to symmetric

Brute force

Modify encrypted data

Substitution

JWT paradox

Some advices

Secret

Don't accept everything

Validate

claims

Protect against injection

Use wellknown library

Don't trust the header

Choose asymmetric

Don't fight for revocation

About

privacy

JWS data are clear, so be careful

Don't log JWT

Put only required and sufficient data

Which alternatives?

Macaroons

"Cookies with Contextual Caveats for Decentralized Authorization in the Cloud"

(unofficial picture...)

CleverCloud/biscuit

"authentication and authorization token for microservices architectures"

paragonie/paseto

Platform-Agnostic Security Tokens

It's the end!

Let's summarize

  •    JWT is a little part of JOSE
  •    JWS and JWE are JWT implementations
  •    JWT, JWS, JWE, JWA, JWK
  •    Be sure to use it securely!

https://slides.com/kpn13

Thank you

   @kpn13

   https://blog.karimpinchon.com

Do you really know JWT?

By Karim PINCHON

Do you really know JWT?

  • 198