What does it look like?
https://jwt.io/
Reference
Value
"JOT"
The suggested pronunciation of JWT is the same as the English word "jot".
RFC 7519
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkFGVVBEYXkgTGlsbGUvUmVubmVzIDIwMjEiLCJleHAiOjE2MjIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkFGVVBEYXkgTGlsbGUvUmVubmVzIDIwMjEiLCJleHAiOjE2MjIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU
{
"alg": "HS256",
"typ": "JWT"
}
{
"iss": "my server",
"sub": "1234567890",
"name": "Karim PINCHON",
"iat": 1619862475,
"aud": "Voxxed Days CERN 2024",
"exp": 1622246399,
"jti": "7a365dd0-7bc7-4894-bb09-771ea152cc55"
}
HMACSHA256( base64UrlEncode( ) + "." + base64UrlEncode(payload), MY_SECRET)
header
payload
.
.
header
signature
{
"payload":"ewogICJpc3MiOiAibXkgc2VydmVyIiwKICAic3ViIjogIjEyMzQ1Njc4OTAiLAogICJuYW1lIjogIkthcmltIFBJTkNIT04iLAogICJpYXQiOiAxNjE5ODYyNDc1LAogICJhdWQiOiAiQUZVUERheSBMaWxsZS9SZW5uZXMgMjAyMSIsCiAgImV4cCI6IDE2MjIyNDYzOTksCiAgImp0aSI6ICI3YTM2NWRkMC03YmM3LTQ4OTQtYmIwOS03NzFlYTE1MmNjNTUiCn0K",
"protected":"eyJhbGciOiJSUzI1NiJ9",
"signature":"ZbJXgzuYVCQCqoUxa5OtWRqmsl2S3Pe-29P19KacZgXlymwi-G-w6n-dnZObTPbheJbnlbptvv8yWO_pEqnohZZXH_c7Sd5sEm5k58-6GqG1FE13Q2CmWA44V91YbHA0rpMhiA1GNxVHIdNpW9wNkzEM3aqbJ9sdhix2RsbS3ofBWQdyaFSDrazWWCAK17ghI5KlUK_KQWNlXDZd8dn7VMNGBRuA5N4erfftG6i-OtFODYR_R1Eb0ltGBYOZamLOxtwR8PR40vjLGtQwJdp8CxdKXKHvrzahRA6k3YRYT2U8dzCsDPYFuzUAZgiSZ5JEG5favYWQsiyg84wF35jIdA"
}
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJteSBzZXJ2ZXIiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkthcmltIFBJTkNIT04iLCJpYXQiOjE2MTk4NjI0NzUsImF1ZCI6IkRldmZlc3QgU3RvY2tob2xtIDIwMjMiLCJleHAiOjE3NDIyNDYzOTksImp0aSI6IjdhMzY1ZGQwLTdiYzctNDg5NC1iYjA5LTc3MWVhMTUyY2M1NSJ9.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..KqQZVQdyxIv70mc2U2f78g41IVr94GHU_JM7LYBMxqU
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0..
{
"typ":"JWT",
"alg":"HS256",
"jku":"https://key.service.com/keys.json",
"jwk":"...",
"kid":"ebb58a6d-0c84-4b5e-aac3-f5edc600cd77",
"x5u":"https://key.service.com/keys.pem",
"x5c":"...",
"x5t":"bcb0923eacb242cf0e69e626cd7ca2fc3426fae0",
"x5t#S256":"dbb821587583647e905b94764c86e",
"cty":"jwk+json",
"crit":["exp"]
}
{
"iss":"token issuer",
"aud":"token audience",
"sub":"token subject",
"iat":"token issued date",
"nbf":"token not valid before",
"exp":"token expiration date",
"jti":"token unique identifier"
}
https://www.iana.org/assignments/jwt/jwt.xhtml
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.uWmje_-Y3GF2nzjLzPopD17yHB7WBDrQgPeE011dhep40Hg4sE6-ZbqBgc4K4cwfbsXU-ZwTY5b6RiHa8clNtZZW2_Qm1Mbu8jcXs-84OrL9n9t7CgdTBd1lGp8e5j6bAxBJTjwdOWO6Cz492DVAxxNNMyuV0UIJsgEUo8b5IpLD4j2VvOgE_V8FSMuifEsq13OKORjfQ2wApIZDw1QAhXQ9GLx08Nl-0umEcaiXH8f36Pqvt4dRwK6tSIgSMht3qAXNCtBBFQS8fyffu1KyZ8_11gWlQdeisPhKbDGEDBNd2SAN2-lQxrcCBmyJ3oD0PCeS3sV8fvoM4eFRfzYhpg.lI2L7mB4nXr4Lnsk.pkdYMTeQUjmBd5kGUnLL72n4ztIQaotAsy1MQj7180sMkGzNwq9n8mI-1bhpavxgAczRhGfKXSmHfHsF3curt10ClMZOsHOJ8sP93lura_5pU7ZYB0V2stupb6a8IiWWYOdASpjtsKr0VpKRO_AuiaRGC1WZdlhWHnptIP78bkG2P7hV57ht3W-upjIErnRtEY29Vt7ddu-r983l8MLw2-8-jb31LxgJYS2Zkr7eDB-UmI5xygsEHLH_pdqOKqxJhO3U3LkWBlt7a1sH.SzRYiT21_Lv7ae8xxmmfRg
Compact serialization format
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.uWmje_-Y3GF2nzjLzPopD17yHB7WBDrQgPeE011dhep40Hg4sE6-ZbqBgc4K4cwfbsXU-ZwTY5b6RiHa8clNtZZW2_Qm1Mbu8jcXs-84OrL9n9t7CgdTBd1lGp8e5j6bAxBJTjwdOWO6Cz492DVAxxNNMyuV0UIJsgEUo8b5IpLD4j2VvOgE_V8FSMuifEsq13OKORjfQ2wApIZDw1QAhXQ9GLx08Nl-0umEcaiXH8f36Pqvt4dRwK6tSIgSMht3qAXNCtBBFQS8fyffu1KyZ8_11gWlQdeisPhKbDGEDBNd2SAN2-lQxrcCBmyJ3oD0PCeS3sV8fvoM4eFRfzYhpg.lI2L7mB4nXr4Lnsk.pkdYMTeQUjmBd5kGUnLL72n4ztIQaotAsy1MQj7180sMkGzNwq9n8mI-1bhpavxgAczRhGfKXSmHfHsF3curt10ClMZOsHOJ8sP93lura_5pU7ZYB0V2stupb6a8IiWWYOdASpjtsKr0VpKRO_AuiaRGC1WZdlhWHnptIP78bkG2P7hV57ht3W-upjIErnRtEY29Vt7ddu-r983l8MLw2-8-jb31LxgJYS2Zkr7eDB-UmI5xygsEHLH_pdqOKqxJhO3U3LkWBlt7a1sH.SzRYiT21_Lv7ae8xxmmfRg
Compact serialization format
Compact serialization format
BASE64URL(UTF8(JWE Protected Header)). BASE64URL(JWE Encrypted Key). BASE64URL(JWE Initialization Vector). BASE64URL(JWE Ciphertext). BASE64URL(JWE Authentication Tag)
{
"protected":"eyJhbGciOiJS...hHQ00ifQ",
"encrypted_key":"uWmjefvoM4eFRfzYhpg",
"iv":"lI2L7mB4nXr4Lnsk",
"ciphertext":"pkdYMTeQUjm...a1sH",
"tag":"SzRYiT21_Lv7ae8xxmmfRg"
}
JSON serialization format
Nested token
First sign, then encrypt
What PHP implementation?
https://web-token.spomky-labs.com/
{
"alg":"A128KW",
"kty":"oct",
"k":"GawgguFyGrWKav7AX4VKUg"
}
Symmetric key representation example
{
"keys":
[
{
"kty":"oct",
"alg":"A128KW",
"k":"GawgguFyGrWKav7AX4VKUg"
},
{
"kty":"oct",
"k":"AyM1SysPpbyDfgCAow",
"kid":"8771e475-3f88-42e9-86dc-6cc50436720d"
}
]
}
Symmetric key set representation example
{
"alg": "HS256",
"type": "JWT",
"kid": "6d3db68d-5867-458d-921b-1c2426ef78b4"
}
Key id use case example
{
"alg": "RS256",
"x5u": "https://key.service.com/key.pem"
}
X509 certificate example
{
"alg": "HS256",
"type": "JWT",
"kid": "6d3db68d-5867-458d-921b-1c2426ef78b4",
"jku": "https://key.service.com/keys.json"
}
JWK set URL example
{
"alg": "none",
"type": "JWT"
}
Header
Secret
(unofficial picture...)
https://slides.com/kpn13
@kpn13
https://blog.karimpinchon.com