JWTとは - Speaker Deck

Slide 1

Slide 1 text

JWTʹ͍ͭͯ

Slide 2

Slide 2 text

1. JWTͱ͸ 2. JWTͷத਎ 3. JWTΛ࢖͏ͱԿ͕خ͍͔͠ 4. JWTͷ஫ҙ఺ ໨࣍

Slide 3

Slide 3 text

1. JWTͱ͸ Json Web Token ͷུɻ RFC7519 Ͱఆٛ͞Ε͍ͯΔٕज़Ͱɺ RFC7515 JWS (Json Web Signature) ͷ࢓༷ʹԊͬͯɺpayload෦෼ΛJSONܗࣜʹͯ͠ +α ͨ͠΋ͷɻ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva G4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. S f lKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQs sw5c ϔομʔ ϖΠϩʔυ ॺ໊ { "alg": "HS256", "typ": "JWT" } { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), your-256-bit-secret ) JSON BASE JWT

Slide 4

Slide 4 text

1. JWTͱ͸ POST /user/login {email, password} Ϣʔβʔೝূޙʹ ηογϣϯ৘ใΛอଘ ηογϣϯIDΛCookieͱͯ͠ฦ͢ ϦΫΤετΛηογϣϯIDͱͱ΋ʹૹΔ ૹΒΕ͖ͯͨηογϣϯIDͱ อଘͨ͠ηογϣϯIDͰݕূ Ϩεϙϯε Sessionํࣜ

Slide 5

Slide 5 text

1. JWTͱ͸ POST /user/login {email, password} ൿີ伴Λ࢖ͬͯ JWTΛੜ੒ JWTΛϨεϙϯεͱͯ͠ฦ͢ ϦΫΤετΛJWTͱͱ΋ʹૹΔ JWTͷத਎Λݕূ JWT͔ΒϢʔβʔ৘ใΛऔಘ Ϩεϙϯε JWTํࣜ

Slide 6

Slide 6 text

1. JWTͱ͸ POST /user/login {email, password} Secret keyΛ࢖ͬͯ JWTΛੜ੒ JWTΛϨεϙϯεͱͯ͠ฦ͢ ϦΫΤετΛJWTͱͱ΋ʹૹΔ JWTͷத਎Λݕূ JWT͔ΒϢʔβʔ৘ใΛऔಘ Ϩεϙϯε JWTํࣜ POST /user/login {email, password} Ϣʔβʔೝূޙʹ ηογϣϯ৘ใΛอଘ ηογϣϯIDΛCookieͱͯ͠ฦ͢ ϦΫΤετΛηογϣϯIDͱͱ΋ʹૹΔ ૹΒΕ͖ͯͨ ηογϣϯIDͱอଘͨ͠ ηογϣϯIDͰݕূ Ϩεϙϯε Sessionํࣜ ೋͭͷେ͖ͳҧ͍͸ɺτʔΫϯΛอଘ͢Δ৔ॴɻ ηογϣϯํࣜ͸αʔόʔʹɺ JWTํࣜ͸ϒϥ΢βʹอଘ͢Δɻ

Slide 7

Slide 7 text

2. JWTͷத਎

Slide 8

Slide 8 text

3. JWTΛ࢖͏ͱԿ͕خ͍͔͠ ServerA ServerC ServerB

Slide 9

Slide 9 text

4. JWTͷ஫ҙ఺ ϢʔβʔͷೳಈతͳϩάΞ΢τʹΑΔτʔΫϯͷ؅ཧ A UserAHeader. UserAPayload. UserASignature UserAHeader. UserAPayload. UserASignature ࿙Ӯ OK OK ʻϩάΞ΢τϘλϯԡԼʼ B