Slide 1

Slide 1 text

JSON Web Token boot camp 2020 ryo.ito (@ritou)  

Slide 2

Slide 2 text

͜ͷࢿྉ͕๬ΉGOAL JSON Web Tokenͱ͸ͲΜͳ΋ͷ͔Λཧղ͢Δ ৭ʑͳαʔϏεɺγεςϜͰ࢖ΘΕ͍ͯΔJSON Web Signatureͷ࢓૊Έʹ͍ͭͯཧղ͢Δ Ϣʔεέʔεͱઃܭ/࣮૷ͷϙΠϯτΛ੔ཧ͠ɺۀ຿Ͱ ΋҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ  

Slide 3

Slide 3 text

JSON Web Token֓ཁ  

Slide 4

Slide 4 text

3'$+40/8FC5PLFO +85 “JSON Web Token (JWT) is a compact, URL- safe means of representing claims to be transferred between two parties.”  

Slide 5

Slide 5 text

JSON Web Tokenͱ͸ ͍ΖΜͳσʔλ(ߏ଄Խ͞Εͨ΋ͷ΍όΠφϦ·Ͱ)Λ ෳ਺ͷαʔϏεɺγεςϜؒͰ΍ΓͱΓ͢ΔͨΊʹ URLηʔϑͳจࣈྻʹΤϯίʔυ͢Δ࢓૊Έ΋͘͠͸ Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺ͹Ε͍ͯΔ ॺ໊Λ͚ͭͨΓ(JSON Web Signature, JWS)ɺ҉߸ Խ΋Ͱ͖Δ(JSON Web Encryption, JWE)  

Slide 6

Slide 6 text

JWT஀ੜͷ͖͔͚ͬ OpenIDϑΝ΢ϯσʔγϣϯʹΑΔOpenID Connectͷ࢓༷ ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹͯ࢓༷ࡦఆ։࢝ Ϣʔβʔ৘ใɺೝূΠϕϯτ৘ใͷड͚౉͠ʹར༻ SAMLͰ࢖ΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ Γ΋༰қʹ࣮૷Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ ςΟτʔΫϯΛ໨ࢦͨ͠ ͦΕͰ΋·ͩ࢓༷ͷҰ෦͔͠࢖ΘΕ͍ͯͳ͍  

Slide 7

Slide 7 text

Ϣʔεέʔε ൃߦऀ/ड৴ऀʹ஫໨ ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ  

Slide 8

Slide 8 text

Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷηογϣϯCookie ϩάΠϯதͷϢʔβʔ৘ใΛ֨ೲ HTTP Responseͱͯ͠ൃߦɺWebϒϥ΢β͕อ ࣋ɺHTTP Requestͱͯ͠ड৴  

Slide 9

Slide 9 text

Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ ηογϣϯʹඥͮ͘஋(ηογϣϯIDͷϋογϡ஋ͳ Ͳ)Λ֨ೲ HTMLϑΥʔϜ಺ʹࢦఆɺPOSTσʔλͱͯ͠ड৴  

Slide 10

Slide 10 text

Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ APIΞΫηεʹඞཁͳϢʔβʔ৘ใͳͲΛ֨ೲ ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ ʹ෇༩ͯ͠APIαʔόʔ͕ड৴  

Slide 11

Slide 11 text

Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ 3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴ ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔ৘ใͷ఻ୡ ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴  

Slide 12

Slide 12 text

ϝϦοτ/σϝϦοτ ϝϦοτ ॊೈͳσʔλߏ଄Λ΍ΓͱΓՄೳ ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ΋͚ͭΒΕΔ σϝϦοτ ҉߸ԽͰ͸ͳ͍ͷͰத਎Λ೷͚Δ ֨ೲ͢Δ৘ใʹΑͬͯσʔλαΠζ͕૿େ  

Slide 13

Slide 13 text

ීٴ͍ͯ͠Δཧ༝ ࢓༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦ΋ॆ࣮ ඪ४ԽϓϩτίϧͰͷ࠾༻࣮੷ ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ ཱ֬͞ΕͨϕετϓϥΫςΟε RFC8725 JSON Web Token BCP  

Slide 14

Slide 14 text

JWT vs Cookie? SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ +APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͸͋͘· ͰΤϯίʔυํ๏ͳͷͰ࿩͕·ͱ·Βͳ͍ ಺แܕ vs ηογϣϯID΋͘͠͸จࣈྻ + HTTP CookieͷଐੑͱͷൺֱͳͲ੔ཧ͕ඞཁ  

Slide 15

Slide 15 text

JWT = εςʔτϨε? JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͸΋͍ͬͨͳ͍ ৘ใΛ಺แ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ রͷͨΊͷΩʔΛ࣋ͬͯ΋ྑ͍ σʔλετΞͱͷ૊Έ߹ΘͤΛߟྀ͢Δͱ෯޿͍ Ϣʔεέʔεʹద༻Մೳ  

Slide 16

Slide 16 text

࢓༷ղઆ  

Slide 17

Slide 17 text

RFCs (7515 ~ 7519) αʔϏεɺγεςϜؒͷ΍ΓͱΓʹඞཁͳϝλσʔλ͸ʁ -> RFC7519 JSON Web Token ॺ໊ؔ࿈(ੜ੒ɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON Web Signature ҉߸Խ -> RFC7516 JSON Web Encryption ҉߸Խ΍ॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms  

Slide 18

Slide 18 text

RFC7515 JSON Web Signature  

Slide 19

Slide 19 text

ͱ͋Δจࣈྻ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ 4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk  

Slide 20

Slide 20 text

ࢲʹ͸͜͏ݟ͑·͢ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk  

Slide 21

Slide 21 text

͜ͷจࣈྻͷਖ਼ମ RFC7515 JSON Web Signature JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ γϦΞϥΠζܗࣜ ෳ਺ͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ ͍͏΋ͷ΋͋Δ͕࢖ΘΕ͍ͯΔͷ͸ݟ͔͚ͳ͍  

Slide 22

Slide 22 text

Header eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk   Encoded header

Slide 23

Slide 23 text

Header Base64 URL Encode͞ΕͨJWS Header {\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"} JWSࣗମͷछྨ΍ॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ   {“͔Β࢝·Δ෦෼͕eyJͱͳΔ

Slide 24

Slide 24 text

Payload eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk   Encoded payload

Slide 25

Slide 25 text

Payload Base64 URL Encode͞ΕͨJWS Payload {\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http:// example.com/is_root\":true} Payload͸JSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ ϨʔϜ(ύϥϝʔλ)ͷ஋͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ  

Slide 26

Slide 26 text

Signature eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk   Encoded signature

Slide 27

Slide 27 text

Signature Base64 URL Encode͞ΕͨJWS Signature Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠΋ͷ ΛBase Stringͱͯ͠ར༻(໘౗ͳਖ਼نԽ͸ෆཁ) ͜ͷ஋Λੜ੒͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ  

Slide 28

Slide 28 text

RFC7519 JSON Web Token  

Slide 29

Slide 29 text

JWTΫϨʔϜ ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ “jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻. “iss” : ൃߦऀͷࣝผࢠ.υϝΠϯ΍αʔϏε಺ࣝผࢠ. “sub” : JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ. “aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ  

Slide 30

Slide 30 text

JWTΫϨʔϜ ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ “iat” : ൃߦ೔࣌ “exp” : ༗ޮظݶ “nbf” : ༗ޮظݶͷ։࢝೔࣌  

Slide 31

Slide 31 text

JWTΫϨʔϜͷྫ (OIDC)  

Slide 32

Slide 32 text

JWTΫϨʔϜ શͯར༻ඞਢͰ͸ͳ͍ : ίϯςΩετʹΑͬͯબ୒ ϥΠϒϥϦʹΑͬͯ͸ݕূػೳΛ͍࣋ͬͯΔ΋ͷ΋ ݕূͷཻ౓ͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝ͸ඞཁ  

Slide 33

Slide 33 text

RFC7518 JSON Web Algorithms  

Slide 34

Slide 34 text

ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA   ϋογϡؔ਺ + ڞ༗伴Ͱॺ໊Λੜ੒ ൃߦɺݕূ͕ಉҰͷ৔߹ͳͲͰར༻

Slide 35

Slide 35 text

ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA   RSAॺ໊ ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ RS256͕Α͘࢖ΘΕ͍ͯΔ͕…

Slide 36

Slide 36 text

ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA   ପԁۂઢॺ໊ ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ ࠷ۙͷϓϩτίϧͰ͸ESܥ͕ਓؾ

Slide 37

Slide 37 text

ΞϧΰϦζϜͷ࢖͍෼͚ ൃߦ/ड৴͕ಉҰ : HSXXX ڞ༗ൿີ伴Λ҆શʹ؅ཧ͢Δ ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX ൃߦଆ͕ड৴ଆʹެ։伴Λ౉͢ ৔߹ʹΑͬͯ͸͓ޓ͍ʹެ։伴Λ౉͠߹͏  

Slide 38

Slide 38 text

RFC7517 JSON Web Key  

Slide 39

Slide 39 text

伴ʹؔ͢Δ࢓༷ 伴ͷදݱ 伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴 伴ͷηοτͷදݱ ϩʔςʔγϣϯ αϙʔτ͢ΔΞϧΰϦζϜͷมߋ  

Slide 40

Slide 40 text

伴දݱͷͨΊͷύϥϝʔλ “kty” : 伴ͷछྨ “RSA”, “EC”, “oct” “use” : “sig” “key_ops” : “sign”, “verify” “alg” : “RS256”, … , “PS256”, … , “ES256”, … “kid” : 伴ͷࣝผࢠ “x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈  

Slide 41

Slide 41 text

伴ͷදݱ : ରশ伴  

Slide 42

Slide 42 text

伴ͷදݱ : ൿີ伴(RSA)  

Slide 43

Slide 43 text

伴ͷදݱ : ެ։伴(RSA)  

Slide 44

Slide 44 text

伴ͷදݱ : ެ։伴(ପԁۂઢ)  

Slide 45

Slide 45 text

伴ηοτͷදݱ (Google)  

Slide 46

Slide 46 text

Ϣʔεέʔε ༗ޮͳެ։伴৘ใΛެ։ jwks_url : JSON ܗࣜͰ伴৘ใͷηοτΛฦ͢ ઃఆϑΝΠϧͰͷอ࣋ ൿີ伴  

Slide 47

Slide 47 text

JWT(JWS)࣮૷ͷϙΠϯτ  

Slide 48

Slide 48 text

RFC8725 JSON Web Token BCP   https://qiita.com/ritou/items/71e58fbc0c5605ec61cb

Slide 49

Slide 49 text

JSON Web SignatureΛ؆୯͔ͭ҆શʹ ࢖͏ͨΊͷkid/typύϥϝʔλͷ࢖͍ํ   https://ritou.hatenablog.com/entry/2020/03/31/142550

Slide 50

Slide 50 text

JWT(JWS)Λ҆શʹ࢖͏ͨΊ ͷϙΠϯτ PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ  

Slide 51

Slide 51 text

JWT(JWS)Λ҆શʹ࢖͏ͨΊ ͷϙΠϯτ PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ) ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻) ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ  

Slide 52

Slide 52 text

PayloadʹؚΉ৘ใΛΑ͘ݕ ౼͢Δ ࣗॗ  

Slide 53

Slide 53 text

ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷ஋ΛͲ͔͜ΒҾ͔͘ Headerͷalgύϥϝʔλͷ஋Λૉ௚ʹ࢖͏ͱ߈ܸΛड͚ΔڪΕ noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ RS256 -> HS256 Ͱެ։伴ͷϋογϡ஋Λࢦఆ͞ΕͨΓ ؅ཧ͍ͯ͠Δ伴ʹඥͮ͘஋Λར༻͠ɺHeaderͷ஋͸ͦͷ஋ͱ ͷൺֱʹཹΊΔ  

Slide 54

Slide 54 text

༻్ͱॺ໊ݕূʹ஫໨ ༻్ͷදݱͱࢦఆ ॺ໊ੜ੒ɺݕূ༻ͷ伴ͷ؅ཧ ্هͷݕূ  

Slide 55

Slide 55 text

༻్ͷදݱͱࢦఆ ࢖͑Δύϥϝʔλ͸ෳ਺͋Δ Header “typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴؅ཧͱ෼཭ “kid” ύϥϝʔλ : ༻్͝ͱʹ伴ࣗମΛ෼͚Δ Payload ಠࣗΫϨʔϜ : “usage” ͳͲ  

Slide 56

Slide 56 text

༻్ͷදݱͱࢦఆ ͲΕΛ࢖͏͔͸ॊೈʹ൑அ͢΂͖ ػೳ୯ҐͰ伴Λ෼͚ΒΕΔ : Header “kid” 伴पΓ͍͡Εͳ͍͕Header͸͍͡ΕΔ : Header “typ” 伴पΓ΋Header΋͍͡Εͳ͍ : ಠࣗΫϨʔϜ  

Slide 57

Slide 57 text

“kid” Λ༻͍ͨ༻్ͷ؅ཧ ༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻ ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ ਓ͕ؒΘ͔Γ΍͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ ྻͱ͔೔෇ͱ͔)” ͱ͍͏idʹ͢Δ  

Slide 58

Slide 58 text

“typ” Λ༻͍ͨ༻్ͷ؅ཧ ॺ໊ݕূલʹ൑ఆͰ͖Δ ϥΠϒϥϦʹΑͬͯ͸ࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯ΋ࣗ ಈͰݕূͰ͖ͳ͍΋ͷ΋͋ΔͷͰ஫ҙ  

Slide 59

Slide 59 text

ಠࣗΫϨʔϜͷར༻ ॺ໊ݕূޙͷ൑ఆͱͳΔ ࢦఆɺݕূͱ΋ʹಠࣗͷ࣮૷ͱͳΔ  

Slide 60

Slide 60 text

JWSੜ੒ɺݕূσϞʢ΍Δ࣌ؒͳͦ͞͏ʣ  

Slide 61

Slide 61 text

໨త ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ ॺ໊ੜ੒/ݕূΛମݧ ࣮຿Ͱ͸ϥΠϒϥϦΛ࢖͏͜ͱΛ͓קΊ͠·͢ɻ  

Slide 62

Slide 62 text

ඞཁͳػೳ ͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ ͸഑ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ৔߹΋͋ Γ·͢ɻ Base64 URL Encode / Decode (Paddingͳ͠) JSON Encode / Decode HMAC-SHA256  

Slide 63

Slide 63 text

JWTੜ੒ͷྲྀΕ 1. HeaderΛੜ੒ 2. PayloadΛੜ੒ 3. SignatureΛੜ੒ 4. ࿈݁ͯ͠׬੒  

Slide 64

Slide 64 text

(1) Header ར༻͢ΔHeaderύϥϝʔλ “typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ “alg” : “HS256” # HMAC-SHA256 ར༻Λએݴ “kid” : “handson01” # 伴؅ཧΛҙࣝ͢ΔͨΊʹར༻  

Slide 65

Slide 65 text

(1) Header 1. JSON Encode “{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\": \"handson+JWT\"}” 2. Base64 URL Encode “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0”  

Slide 66

Slide 66 text

(2) Payload ૹΓ͍ͨσʔλ “Foo”:”Bar” “Hoge”:”Fuga”  

Slide 67

Slide 67 text

(2) Payload 1. JSON Encode "{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}" 2. Base64 URL Encode “eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"  

Slide 68

Slide 68 text

(3) Signature 1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”  

Slide 69

Slide 69 text

(3) Signature 2. Base StringΛHMAC-SHA256ͨ͠஋ΛBase64 URL Encode 伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON” “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM”  

Slide 70

Slide 70 text

(4) ׬੒ Base StringͱSignatureͷ஋Λ“.”Ͱ࿈݁͢Δͱ׬੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV MwH6iaLoOpxEZf3KcVM”  

Slide 71

Slide 71 text

JWTݕূͷྲྀΕ 1. HeaderΛݕূ 2. SignatureΛݕূ 3. (PayloadΛݕূ)  

Slide 72

Slide 72 text

(1) Header Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ “typ” : “handson+JWT” # ظ଴͢Δ஋ͱҰக͢Δ? “kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴? “alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ க͢Δ?  

Slide 73

Slide 73 text

(2) Signature ੜ੒ͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”  

Slide 74

Slide 74 text

(2) Signature 2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ HMAC-SHA256ͨ͠஋ΛBase64 URL Encodeͯ͠ൺֱ 伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON” “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM” ※ެ։伴҉߸Λར༻͢Δ৔߹͸ॺ໊ݕূ༻ͷؔ਺Λར༻  

Slide 75

Slide 75 text

(3) Payload ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒ͹PayloadΛݕূ (ࠓճ͸RFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)  

Slide 76

Slide 76 text

https://jwt.io/ Ͱ΋ݕূՄೳ