Slide 1
Slide 1 text
JSON Web Token
boot camp 2020
ryo.ito (@ritou)
Slide 2
Slide 2 text
͜ͷࢿྉ͕ΉGOAL
JSON Web TokenͱͲΜͳͷ͔Λཧղ͢Δ
৭ʑͳαʔϏεɺγεςϜͰΘΕ͍ͯΔJSON Web
SignatureͷΈʹ͍ͭͯཧղ͢Δ
Ϣʔεέʔεͱઃܭ/࣮ͷϙΠϯτΛཧ͠ɺۀͰ
҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ
Slide 3
Slide 3 text
JSON Web Token֓ཁ
Slide 4
Slide 4 text
3'$+40/8FC5PLFO +85
“JSON Web Token (JWT) is a compact, URL-
safe means of representing claims to be
transferred between two parties.”
Slide 5
Slide 5 text
JSON Web Tokenͱ
͍ΖΜͳσʔλ(ߏԽ͞ΕͨͷόΠφϦ·Ͱ)Λ
ෳͷαʔϏεɺγεςϜؒͰΓͱΓ͢ΔͨΊʹ
URLηʔϑͳจࣈྻʹΤϯίʔυ͢ΔΈ͘͠
Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺΕ͍ͯΔ
ॺ໊Λ͚ͭͨΓ(JSON Web Signature, JWS)ɺ҉߸
ԽͰ͖Δ(JSON Web Encryption, JWE)
Slide 6
Slide 6 text
JWTੜͷ͖͔͚ͬ
OpenIDϑΝϯσʔγϣϯʹΑΔOpenID Connectͷ༷
ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹ༷ͯࡦఆ։࢝
ϢʔβʔใɺೝূΠϕϯτใͷड͚͠ʹར༻
SAMLͰΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ
Γ༰қʹ࣮Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ
ςΟτʔΫϯΛࢦͨ͠
ͦΕͰ·༷ͩͷҰ෦͔͠ΘΕ͍ͯͳ͍
Slide 7
Slide 7 text
Ϣʔεέʔε
ൃߦऀ/ड৴ऀʹ
୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴
ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
Slide 8
Slide 8 text
Ϣʔεέʔε:
୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴
WebΞϓϦέʔγϣϯͷηογϣϯCookie
ϩάΠϯதͷϢʔβʔใΛ֨ೲ
HTTP Responseͱͯ͠ൃߦɺWebϒϥβ͕อ
࣋ɺHTTP Requestͱͯ͠ड৴
Slide 9
Slide 9 text
Ϣʔεέʔε:
୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴
WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ
ηογϣϯʹඥͮ͘(ηογϣϯIDͷϋογϡͳ
Ͳ)Λ֨ೲ
HTMLϑΥʔϜʹࢦఆɺPOSTσʔλͱͯ͠ड৴
Slide 10
Slide 10 text
Ϣʔεέʔε:
ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ
APIΞΫηεʹඞཁͳϢʔβʔใͳͲΛ֨ೲ
ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ
ʹ༩ͯ͠APIαʔόʔ͕ड৴
Slide 11
Slide 11 text
Ϣʔεέʔε:
ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ
3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴
ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔใͷୡ
ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴
Slide 12
Slide 12 text
ϝϦοτ/σϝϦοτ
ϝϦοτ
ॊೈͳσʔλߏΛΓͱΓՄೳ
ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ͚ͭΒΕΔ
σϝϦοτ
҉߸ԽͰͳ͍ͷͰதΛ͚Δ
֨ೲ͢ΔใʹΑͬͯσʔλαΠζ͕૿େ
Slide 13
Slide 13 text
ීٴ͍ͯ͠Δཧ༝
༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦॆ࣮
ඪ४ԽϓϩτίϧͰͷ࠾༻࣮
ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ
ཱ֬͞ΕͨϕετϓϥΫςΟε
RFC8725 JSON Web Token BCP
Slide 14
Slide 14 text
JWT vs Cookie?
SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ
+APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ
ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͋͘·
ͰΤϯίʔυํ๏ͳͷͰ͕·ͱ·Βͳ͍
แܕ vs ηογϣϯID͘͠จࣈྻ + HTTP
CookieͷଐੑͱͷൺֱͳͲཧ͕ඞཁ
Slide 15
Slide 15 text
JWT = εςʔτϨε?
JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͍ͬͨͳ͍
ใΛแ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ
রͷͨΊͷΩʔΛ࣋ͬͯྑ͍
σʔλετΞͱͷΈ߹ΘͤΛߟྀ͢Δͱ෯͍
Ϣʔεέʔεʹద༻Մೳ
Slide 16
Slide 16 text
༷ղઆ
Slide 17
Slide 17 text
RFCs (7515 ~ 7519)
αʔϏεɺγεςϜؒͷΓͱΓʹඞཁͳϝλσʔλʁ ->
RFC7519 JSON Web Token
ॺ໊ؔ࿈(ੜɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON
Web Signature
҉߸Խ -> RFC7516 JSON Web Encryption
҉߸Խॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key
ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms
Slide 18
Slide 18 text
RFC7515 JSON Web Signature
Slide 19
Slide 19 text
ͱ͋Δจࣈྻ
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi
OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d
HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ
4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Slide 20
Slide 20 text
ࢲʹ͜͏ݟ͑·͢
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
.
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH
A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
.
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Slide 21
Slide 21 text
͜ͷจࣈྻͷਖ਼ମ
RFC7515 JSON Web Signature
JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ
γϦΞϥΠζܗࣜ
ෳͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ
͍͏ͷ͋Δ͕ΘΕ͍ͯΔͷݟ͔͚ͳ͍
Slide 22
Slide 22 text
Header
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
.
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ
ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
.
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Encoded header
Slide 23
Slide 23 text
Header
Base64 URL Encode͞ΕͨJWS Header
{\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"}
JWSࣗମͷछྨॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ
{“͔Β࢝·Δ෦͕eyJͱͳΔ
Slide 24
Slide 24 text
Payload
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
.
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ
ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
.
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Encoded payload
Slide 25
Slide 25 text
Payload
Base64 URL Encode͞ΕͨJWS Payload
{\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http://
example.com/is_root\":true}
PayloadJSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ
ϨʔϜ(ύϥϝʔλ)ͷ͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ
ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ
Slide 26
Slide 26 text
Signature
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
.
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ
ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
.
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Encoded signature
Slide 27
Slide 27 text
Signature
Base64 URL Encode͞ΕͨJWS Signature
Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠ͷ
ΛBase Stringͱͯ͠ར༻(໘ͳਖ਼نԽෆཁ)
͜ͷΛੜ͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද
ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ
Slide 28
Slide 28 text
RFC7519 JSON Web Token
Slide 29
Slide 29 text
JWTΫϨʔϜ
ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ
“jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻.
“iss” : ൃߦऀͷࣝผࢠ.υϝΠϯαʔϏεࣝผࢠ.
“sub” : JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ.
“aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ
Slide 30
Slide 30 text
JWTΫϨʔϜ
ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ
“iat” : ൃߦ࣌
“exp” : ༗ޮظݶ
“nbf” : ༗ޮظݶͷ։࢝࣌
Slide 31
Slide 31 text
JWTΫϨʔϜͷྫ (OIDC)
Slide 32
Slide 32 text
JWTΫϨʔϜ
શͯར༻ඞਢͰͳ͍ : ίϯςΩετʹΑͬͯબ
ϥΠϒϥϦʹΑͬͯݕূػೳΛ͍࣋ͬͯΔͷ
ݕূͷཻͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝඞཁ
Slide 33
Slide 33 text
RFC7518 JSON Web Algorithms
Slide 34
Slide 34 text
ॺ໊༻ΞϧΰϦζϜ
“none” : ॺ໊ͳ͠
“HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5
“PS256”, “PS384”, “PS512” : RSASSA-PSS
“ES256”, “ES384”, “ES512” : ECDSA
ϋογϡؔ + ڞ༗伴Ͱॺ໊Λੜ
ൃߦɺݕূ͕ಉҰͷ߹ͳͲͰར༻
Slide 35
Slide 35 text
ॺ໊༻ΞϧΰϦζϜ
“none” : ॺ໊ͳ͠
“HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5
“PS256”, “PS384”, “PS512” : RSASSA-PSS
“ES256”, “ES384”, “ES512” : ECDSA
RSAॺ໊
ൿີ伴Ͱॺ໊ੜɺެ։伴Ͱݕূ
RS256͕Α͘ΘΕ͍ͯΔ͕…
Slide 36
Slide 36 text
ॺ໊༻ΞϧΰϦζϜ
“none” : ॺ໊ͳ͠
“HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5
“PS256”, “PS384”, “PS512” : RSASSA-PSS
“ES256”, “ES384”, “ES512” : ECDSA
ପԁۂઢॺ໊
ൿີ伴Ͱॺ໊ੜɺެ։伴Ͱݕূ
࠷ۙͷϓϩτίϧͰESܥ͕ਓؾ
Slide 37
Slide 37 text
ΞϧΰϦζϜͷ͍͚
ൃߦ/ड৴͕ಉҰ : HSXXX
ڞ༗ൿີ伴Λ҆શʹཧ͢Δ
ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX
ൃߦଆ͕ड৴ଆʹެ։伴Λ͢
߹ʹΑ͓ͬͯޓ͍ʹެ։伴Λ͠߹͏
Slide 38
Slide 38 text
RFC7517 JSON Web Key
Slide 39
Slide 39 text
伴ʹؔ͢Δ༷
伴ͷදݱ
伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴
伴ͷηοτͷදݱ
ϩʔςʔγϣϯ
αϙʔτ͢ΔΞϧΰϦζϜͷมߋ
Slide 40
Slide 40 text
伴දݱͷͨΊͷύϥϝʔλ
“kty” : 伴ͷछྨ “RSA”, “EC”, “oct”
“use” : “sig”
“key_ops” : “sign”, “verify”
“alg” : “RS256”, … , “PS256”, … , “ES256”, …
“kid” : 伴ͷࣝผࢠ
“x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈
Slide 41
Slide 41 text
伴ͷදݱ : ରশ伴
Slide 42
Slide 42 text
伴ͷදݱ : ൿີ伴(RSA)
Slide 43
Slide 43 text
伴ͷදݱ : ެ։伴(RSA)
Slide 44
Slide 44 text
伴ͷදݱ : ެ։伴(ପԁۂઢ)
Slide 45
Slide 45 text
伴ηοτͷදݱ (Google)
Slide 46
Slide 46 text
Ϣʔεέʔε
༗ޮͳެ։伴ใΛެ։
jwks_url : JSON ܗࣜͰ伴ใͷηοτΛฦ͢
ઃఆϑΝΠϧͰͷอ࣋
ൿີ伴
Slide 47
Slide 47 text
JWT(JWS)࣮ͷϙΠϯτ
Slide 48
Slide 48 text
RFC8725
JSON Web Token BCP
https://qiita.com/ritou/items/71e58fbc0c5605ec61cb
Slide 49
Slide 49 text
JSON Web SignatureΛ؆୯͔ͭ҆શʹ
͏ͨΊͷkid/typύϥϝʔλͷ͍ํ
https://ritou.hatenablog.com/entry/2020/03/31/142550
Slide 50
Slide 50 text
JWT(JWS)Λ҆શʹ͏ͨΊ
ͷϙΠϯτ
PayloadʹؚΉใΛΑ͘ݕ౼͢Δ
ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏
ෳͷJWT(JWS)Λར༻͢Δࡍ༻్Λࢦఆ͠ɺഉଞ
తʹݕূ͢Δ
Slide 51
Slide 51 text
JWT(JWS)Λ҆શʹ͏ͨΊ
ͷϙΠϯτ
PayloadʹؚΉใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ)
ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻)
ෳͷJWT(JWS)Λར༻͢Δࡍ༻్Λࢦఆ͠ɺഉଞ
తʹݕূ͢Δ
Slide 52
Slide 52 text
PayloadʹؚΉใΛΑ͘ݕ
౼͢Δ
ࣗॗ
Slide 53
Slide 53 text
ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏
ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷΛͲ͔͜ΒҾ͔͘
HeaderͷalgύϥϝʔλͷΛૉʹ͏ͱ߈ܸΛड͚ΔڪΕ
noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ
RS256 -> HS256 Ͱެ։伴ͷϋογϡΛࢦఆ͞ΕͨΓ
ཧ͍ͯ͠Δ伴ʹඥͮ͘Λར༻͠ɺHeaderͷͦͷͱ
ͷൺֱʹཹΊΔ
Slide 54
Slide 54 text
༻్ͱॺ໊ݕূʹ
༻్ͷදݱͱࢦఆ
ॺ໊ੜɺݕূ༻ͷ伴ͷཧ
্هͷݕূ
Slide 55
Slide 55 text
༻్ͷදݱͱࢦఆ
͑Δύϥϝʔλෳ͋Δ
Header
“typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴ཧͱ
“kid” ύϥϝʔλ : ༻్͝ͱʹ伴ࣗମΛ͚Δ
Payload
ಠࣗΫϨʔϜ : “usage” ͳͲ
Slide 56
Slide 56 text
༻్ͷදݱͱࢦఆ
ͲΕΛ͏͔ॊೈʹஅ͖͢
ػೳ୯ҐͰ伴Λ͚ΒΕΔ : Header “kid”
伴पΓ͍͡Εͳ͍͕Header͍͡ΕΔ : Header “typ”
伴पΓHeader͍͡Εͳ͍ : ಠࣗΫϨʔϜ
Slide 57
Slide 57 text
“kid” Λ༻͍ͨ༻్ͷཧ
༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻
ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ
ਓ͕ؒΘ͔Γ͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ
ྻͱ͔ͱ͔)” ͱ͍͏idʹ͢Δ
Slide 58
Slide 58 text
“typ” Λ༻͍ͨ༻్ͷཧ
ॺ໊ݕূલʹఆͰ͖Δ
ϥΠϒϥϦʹΑͬͯࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯࣗ
ಈͰݕূͰ͖ͳ͍ͷ͋ΔͷͰҙ
Slide 59
Slide 59 text
ಠࣗΫϨʔϜͷར༻
ॺ໊ݕূޙͷఆͱͳΔ
ࢦఆɺݕূͱʹಠࣗͷ࣮ͱͳΔ
Slide 60
Slide 60 text
JWSੜɺݕূσϞʢΔ࣌ؒͳͦ͞͏ʣ
Slide 61
Slide 61 text
త
ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ
ॺ໊ੜ/ݕূΛମݧ
࣮ͰϥΠϒϥϦΛ͏͜ͱΛ͓קΊ͠·͢ɻ
Slide 62
Slide 62 text
ඞཁͳػೳ
͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ
ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ߹͋
Γ·͢ɻ
Base64 URL Encode / Decode (Paddingͳ͠)
JSON Encode / Decode
HMAC-SHA256
Slide 63
Slide 63 text
JWTੜͷྲྀΕ
1. HeaderΛੜ
2. PayloadΛੜ
3. SignatureΛੜ
4. ࿈݁ͯ͠
Slide 64
Slide 64 text
(1) Header
ར༻͢ΔHeaderύϥϝʔλ
“typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ
“alg” : “HS256” # HMAC-SHA256 ར༻Λએݴ
“kid” : “handson01” # 伴ཧΛҙࣝ͢ΔͨΊʹར༻
Slide 65
Slide 65 text
(1) Header
1. JSON Encode
“{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\":
\"handson+JWT\"}”
2. Base64 URL Encode
“eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
sInR5cCI6ImhhbmRzb24rSldUIn0”
Slide 66
Slide 66 text
(2) Payload
ૹΓ͍ͨσʔλ
“Foo”:”Bar”
“Hoge”:”Fuga”
Slide 67
Slide 67 text
(2) Payload
1. JSON Encode
"{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}"
2. Base64 URL Encode
“eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"
Slide 68
Slide 68 text
(3) Signature
1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞
“eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi
LCJIb2dlIjoiRnVnYSJ9”
Slide 69
Slide 69 text
(3) Signature
2. Base StringΛHMAC-SHA256ͨ͠ΛBase64 URL
Encode
伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
“Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc
VM”
Slide 70
Slide 70 text
(4)
Base StringͱSignatureͷΛ“.”Ͱ࿈݁͢Δͱ
“eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi
LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV
MwH6iaLoOpxEZf3KcVM”
Slide 71
Slide 71 text
JWTݕূͷྲྀΕ
1. HeaderΛݕূ
2. SignatureΛݕূ
3. (PayloadΛݕূ)
Slide 72
Slide 72 text
(1) Header
Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ
“typ” : “handson+JWT” # ظ͢ΔͱҰக͢Δ?
“kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴?
“alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ
க͢Δ?
Slide 73
Slide 73 text
(2) Signature
ੜͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base
StringΛ࡞
“eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi
LCJIb2dlIjoiRnVnYSJ9”
Slide 74
Slide 74 text
(2) Signature
2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ
HMAC-SHA256ͨ͠ΛBase64 URL Encodeͯ͠ൺֱ
伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
“Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc
VM”
※ެ։伴҉߸Λར༻͢Δ߹ॺ໊ݕূ༻ͷؔΛར༻
Slide 75
Slide 75 text
(3) Payload
ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒPayloadΛݕূ
(ࠓճRFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ
ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)
Slide 76
Slide 76 text
https://jwt.io/ ͰݕূՄೳ