JWT Boot Camp 2020

JWT Boot Camp 2020

チーム内勉強会のために作成したJSON Web Tokenについての資料です。

658c29959d8a9fd352afa440a5813137?s=128

ritou

May 22, 2020
Tweet

Transcript

  1. JSON Web Token boot camp 2020 ryo.ito (@ritou)  

  2. ͜ͷࢿྉ͕๬ΉGOAL JSON Web Tokenͱ͸ͲΜͳ΋ͷ͔Λཧղ͢Δ ৭ʑͳαʔϏεɺγεςϜͰ࢖ΘΕ͍ͯΔJSON Web Signatureͷ࢓૊Έʹ͍ͭͯཧղ͢Δ Ϣʔεέʔεͱઃܭ/࣮૷ͷϙΠϯτΛ੔ཧ͠ɺۀ຿Ͱ ΋҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ 

    
  3. JSON Web Token֓ཁ  

  4. 3'$+40/8FC5PLFO +85 “JSON Web Token (JWT) is a compact, URL-

    safe means of representing claims to be transferred between two parties.”  
  5. JSON Web Tokenͱ͸ ͍ΖΜͳσʔλ(ߏ଄Խ͞Εͨ΋ͷ΍όΠφϦ·Ͱ)Λ ෳ਺ͷαʔϏεɺγεςϜؒͰ΍ΓͱΓ͢ΔͨΊʹ URLηʔϑͳจࣈྻʹΤϯίʔυ͢Δ࢓૊Έ΋͘͠͸ Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺ͹Ε͍ͯΔ ॺ໊Λ͚ͭͨΓ(JSON Web Signature,

    JWS)ɺ҉߸ Խ΋Ͱ͖Δ(JSON Web Encryption, JWE)  
  6. JWT஀ੜͷ͖͔͚ͬ OpenIDϑΝ΢ϯσʔγϣϯʹΑΔOpenID Connectͷ࢓༷ ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹͯ࢓༷ࡦఆ։࢝ Ϣʔβʔ৘ใɺೝূΠϕϯτ৘ใͷड͚౉͠ʹར༻ SAMLͰ࢖ΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ Γ΋༰қʹ࣮૷Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ ςΟτʔΫϯΛ໨ࢦͨ͠ ͦΕͰ΋·ͩ࢓༷ͷҰ෦͔͠࢖ΘΕ͍ͯͳ͍

     
  7. Ϣʔεέʔε ൃߦऀ/ड৴ऀʹ஫໨ ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ  

  8. Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷηογϣϯCookie ϩάΠϯதͷϢʔβʔ৘ใΛ֨ೲ HTTP Responseͱͯ͠ൃߦɺWebϒϥ΢β͕อ ࣋ɺHTTP Requestͱͯ͠ड৴  

  9. Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ ηογϣϯʹඥͮ͘஋(ηογϣϯIDͷϋογϡ஋ͳ Ͳ)Λ֨ೲ HTMLϑΥʔϜ಺ʹࢦఆɺPOSTσʔλͱͯ͠ड৴  

  10. Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ APIΞΫηεʹඞཁͳϢʔβʔ৘ใͳͲΛ֨ೲ ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ ʹ෇༩ͯ͠APIαʔόʔ͕ड৴  

  11. Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ 3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴ ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔ৘ใͷ఻ୡ ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴  

  12. ϝϦοτ/σϝϦοτ ϝϦοτ ॊೈͳσʔλߏ଄Λ΍ΓͱΓՄೳ ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ΋͚ͭΒΕΔ σϝϦοτ ҉߸ԽͰ͸ͳ͍ͷͰத਎Λ೷͚Δ ֨ೲ͢Δ৘ใʹΑͬͯσʔλαΠζ͕૿େ  

  13. ීٴ͍ͯ͠Δཧ༝ ࢓༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦ΋ॆ࣮ ඪ४ԽϓϩτίϧͰͷ࠾༻࣮੷ ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ ཱ֬͞ΕͨϕετϓϥΫςΟε RFC8725 JSON Web Token BCP

     
  14. JWT vs Cookie? SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ +APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͸͋͘·

    ͰΤϯίʔυํ๏ͳͷͰ࿩͕·ͱ·Βͳ͍ ಺แܕ vs ηογϣϯID΋͘͠͸จࣈྻ + HTTP CookieͷଐੑͱͷൺֱͳͲ੔ཧ͕ඞཁ  
  15. JWT = εςʔτϨε? JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͸΋͍ͬͨͳ͍ ৘ใΛ಺แ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ রͷͨΊͷΩʔΛ࣋ͬͯ΋ྑ͍ σʔλετΞͱͷ૊Έ߹ΘͤΛߟྀ͢Δͱ෯޿͍ Ϣʔεέʔεʹద༻Մೳ

     
  16. ࢓༷ղઆ  

  17. RFCs (7515 ~ 7519) αʔϏεɺγεςϜؒͷ΍ΓͱΓʹඞཁͳϝλσʔλ͸ʁ -> RFC7519 JSON Web Token

    ॺ໊ؔ࿈(ੜ੒ɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON Web Signature ҉߸Խ -> RFC7516 JSON Web Encryption ҉߸Խ΍ॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms  
  18. RFC7515 JSON Web Signature  

  19. ͱ͋Δจࣈྻ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ 4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk  

  20. ࢲʹ͸͜͏ݟ͑·͢ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk  

  21. ͜ͷจࣈྻͷਖ਼ମ RFC7515 JSON Web Signature JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ

    γϦΞϥΠζܗࣜ ෳ਺ͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ ͍͏΋ͷ΋͋Δ͕࢖ΘΕ͍ͯΔͷ͸ݟ͔͚ͳ͍  
  22. Header eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk   Encoded

    header
  23. Header Base64 URL Encode͞ΕͨJWS Header {\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"} JWSࣗମͷछྨ΍ॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ  

    {“͔Β࢝·Δ෦෼͕eyJͱͳΔ
  24. Payload eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk   Encoded

    payload
  25. Payload Base64 URL Encode͞ΕͨJWS Payload {\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http:// example.com/is_root\":true} Payload͸JSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ

    ϨʔϜ(ύϥϝʔλ)ͷ஋͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ  
  26. Signature eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk   Encoded

    signature
  27. Signature Base64 URL Encode͞ΕͨJWS Signature Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠΋ͷ

    ΛBase Stringͱͯ͠ར༻(໘౗ͳਖ਼نԽ͸ෆཁ) ͜ͷ஋Λੜ੒͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ  
  28. RFC7519 JSON Web Token  

  29. JWTΫϨʔϜ ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ “jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻. “iss” : ൃߦऀͷࣝผࢠ.υϝΠϯ΍αʔϏε಺ࣝผࢠ. “sub” :

    JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ. “aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ  
  30. JWTΫϨʔϜ ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ “iat” : ൃߦ೔࣌ “exp” : ༗ޮظݶ “nbf” :

    ༗ޮظݶͷ։࢝೔࣌  
  31. JWTΫϨʔϜͷྫ (OIDC)  

  32. JWTΫϨʔϜ શͯར༻ඞਢͰ͸ͳ͍ : ίϯςΩετʹΑͬͯબ୒ ϥΠϒϥϦʹΑͬͯ͸ݕূػೳΛ͍࣋ͬͯΔ΋ͷ΋ ݕূͷཻ౓ͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝ͸ඞཁ  

  33. RFC7518 JSON Web Algorithms  

  34. ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX

    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA   ϋογϡؔ਺ + ڞ༗伴Ͱॺ໊Λੜ੒ ൃߦɺݕূ͕ಉҰͷ৔߹ͳͲͰར༻
  35. ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX

    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA   RSAॺ໊ ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ RS256͕Α͘࢖ΘΕ͍ͯΔ͕…
  36. ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX

    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA   ପԁۂઢॺ໊ ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ ࠷ۙͷϓϩτίϧͰ͸ESܥ͕ਓؾ
  37. ΞϧΰϦζϜͷ࢖͍෼͚ ൃߦ/ड৴͕ಉҰ : HSXXX ڞ༗ൿີ伴Λ҆શʹ؅ཧ͢Δ ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX

    ൃߦଆ͕ड৴ଆʹެ։伴Λ౉͢ ৔߹ʹΑͬͯ͸͓ޓ͍ʹެ։伴Λ౉͠߹͏  
  38. RFC7517 JSON Web Key  

  39. 伴ʹؔ͢Δ࢓༷ 伴ͷදݱ 伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴 伴ͷηοτͷදݱ ϩʔςʔγϣϯ αϙʔτ͢ΔΞϧΰϦζϜͷมߋ  

  40. 伴දݱͷͨΊͷύϥϝʔλ “kty” : 伴ͷछྨ “RSA”, “EC”, “oct” “use” : “sig”

    “key_ops” : “sign”, “verify” “alg” : “RS256”, … , “PS256”, … , “ES256”, … “kid” : 伴ͷࣝผࢠ “x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈  
  41. 伴ͷදݱ : ରশ伴  

  42. 伴ͷදݱ : ൿີ伴(RSA)  

  43. 伴ͷදݱ : ެ։伴(RSA)  

  44. 伴ͷදݱ : ެ։伴(ପԁۂઢ)  

  45. 伴ηοτͷදݱ (Google)  

  46. Ϣʔεέʔε ༗ޮͳެ։伴৘ใΛެ։ jwks_url : JSON ܗࣜͰ伴৘ใͷηοτΛฦ͢ ઃఆϑΝΠϧͰͷอ࣋ ൿີ伴  

  47. JWT(JWS)࣮૷ͷϙΠϯτ  

  48. RFC8725 JSON Web Token BCP   https://qiita.com/ritou/items/71e58fbc0c5605ec61cb

  49. JSON Web SignatureΛ؆୯͔ͭ҆શʹ ࢖͏ͨΊͷkid/typύϥϝʔλͷ࢖͍ํ   https://ritou.hatenablog.com/entry/2020/03/31/142550

  50. JWT(JWS)Λ҆શʹ࢖͏ͨΊ ͷϙΠϯτ PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ  

  51. JWT(JWS)Λ҆શʹ࢖͏ͨΊ ͷϙΠϯτ PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ) ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻) ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ  

  52. PayloadʹؚΉ৘ใΛΑ͘ݕ ౼͢Δ ࣗॗ  

  53. ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷ஋ΛͲ͔͜ΒҾ͔͘ Headerͷalgύϥϝʔλͷ஋Λૉ௚ʹ࢖͏ͱ߈ܸΛड͚ΔڪΕ noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ RS256 -> HS256 Ͱެ։伴ͷϋογϡ஋Λࢦఆ͞ΕͨΓ ؅ཧ͍ͯ͠Δ伴ʹඥͮ͘஋Λར༻͠ɺHeaderͷ஋͸ͦͷ஋ͱ ͷൺֱʹཹΊΔ

     
  54. ༻్ͱॺ໊ݕূʹ஫໨ ༻్ͷදݱͱࢦఆ ॺ໊ੜ੒ɺݕূ༻ͷ伴ͷ؅ཧ ্هͷݕূ  

  55. ༻్ͷදݱͱࢦఆ ࢖͑Δύϥϝʔλ͸ෳ਺͋Δ Header “typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴؅ཧͱ෼཭ “kid” ύϥϝʔλ

    : ༻్͝ͱʹ伴ࣗମΛ෼͚Δ Payload ಠࣗΫϨʔϜ : “usage” ͳͲ  
  56. ༻్ͷදݱͱࢦఆ ͲΕΛ࢖͏͔͸ॊೈʹ൑அ͢΂͖ ػೳ୯ҐͰ伴Λ෼͚ΒΕΔ : Header “kid” 伴पΓ͍͡Εͳ͍͕Header͸͍͡ΕΔ : Header “typ”

    伴पΓ΋Header΋͍͡Εͳ͍ : ಠࣗΫϨʔϜ  
  57. “kid” Λ༻͍ͨ༻్ͷ؅ཧ ༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻ ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ ਓ͕ؒΘ͔Γ΍͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ ྻͱ͔೔෇ͱ͔)” ͱ͍͏idʹ͢Δ

     
  58. “typ” Λ༻͍ͨ༻్ͷ؅ཧ ॺ໊ݕূલʹ൑ఆͰ͖Δ ϥΠϒϥϦʹΑͬͯ͸ࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯ΋ࣗ ಈͰݕূͰ͖ͳ͍΋ͷ΋͋ΔͷͰ஫ҙ  

  59. ಠࣗΫϨʔϜͷར༻ ॺ໊ݕূޙͷ൑ఆͱͳΔ ࢦఆɺݕূͱ΋ʹಠࣗͷ࣮૷ͱͳΔ  

  60. JWSੜ੒ɺݕূσϞʢ΍Δ࣌ؒͳͦ͞͏ʣ  

  61. ໨త ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ ॺ໊ੜ੒/ݕূΛମݧ ࣮຿Ͱ͸ϥΠϒϥϦΛ࢖͏͜ͱΛ͓קΊ͠·͢ɻ  

  62. ඞཁͳػೳ ͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ ͸഑ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ৔߹΋͋ Γ·͢ɻ Base64 URL Encode / Decode (Paddingͳ͠)

    JSON Encode / Decode HMAC-SHA256  
  63. JWTੜ੒ͷྲྀΕ 1. HeaderΛੜ੒ 2. PayloadΛੜ੒ 3. SignatureΛੜ੒ 4. ࿈݁ͯ͠׬੒ 

    
  64. (1) Header ར༻͢ΔHeaderύϥϝʔλ “typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ “alg” :

    “HS256” # HMAC-SHA256 ར༻Λએݴ “kid” : “handson01” # 伴؅ཧΛҙࣝ͢ΔͨΊʹར༻  
  65. (1) Header 1. JSON Encode “{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\": \"handson+JWT\"}” 2. Base64 URL

    Encode “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0”  
  66. (2) Payload ૹΓ͍ͨσʔλ “Foo”:”Bar” “Hoge”:”Fuga”  

  67. (2) Payload 1. JSON Encode "{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}" 2. Base64 URL Encode

    “eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"  
  68. (3) Signature 1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9” 

    
  69. (3) Signature 2. Base StringΛHMAC-SHA256ͨ͠஋ΛBase64 URL Encode 伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”

    “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM”  
  70. (4) ׬੒ Base StringͱSignatureͷ஋Λ“.”Ͱ࿈݁͢Δͱ׬੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV MwH6iaLoOpxEZf3KcVM”  

  71. JWTݕূͷྲྀΕ 1. HeaderΛݕূ 2. SignatureΛݕূ 3. (PayloadΛݕূ)  

  72. (1) Header Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ “typ” :

    “handson+JWT” # ظ଴͢Δ஋ͱҰக͢Δ? “kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴? “alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ க͢Δ?  
  73. (2) Signature ੜ੒ͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”  

  74. (2) Signature 2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ HMAC-SHA256ͨ͠஋ΛBase64 URL Encodeͯ͠ൺֱ 伴 :

    “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON” “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM” ※ެ։伴҉߸Λར༻͢Δ৔߹͸ॺ໊ݕূ༻ͷؔ਺Λར༻  
  75. (3) Payload ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒ͹PayloadΛݕূ (ࠓճ͸RFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)  

  76. https://jwt.io/ Ͱ΋ݕূՄೳ