JWT Boot Camp 2020

Transcript

1. JSON Web Token boot camp 2020 ryo.ito (@ritou)
   

2. ͜ͷࢿྉ͕๬ΉGOAL JSON Web Tokenͱ͸ͲΜͳ΋ͷ͔Λཧղ͢Δ ৭ʑͳαʔϏεɺγεςϜͰ࢖ΘΕ͍ͯΔJSON Web Signatureͷ࢓૊Έʹ͍ͭͯཧղ͢Δ Ϣʔεέʔεͱઃܭ/࣮૷ͷϙΠϯτΛ੔ཧ͠ɺۀ຿Ͱ ΋҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ
   

   

3. JSON Web Token֓ཁ
   

4. 3'$
   +40/
   8FC
   5PLFO +85 “JSON Web Token (JWT) is a compact, URL-

   safe means of representing claims to be transferred between two parties.”
   

5. JSON Web Tokenͱ͸ ͍ΖΜͳσʔλ(ߏ଄Խ͞Εͨ΋ͷ΍όΠφϦ·Ͱ)Λ ෳ਺ͷαʔϏεɺγεςϜؒͰ΍ΓͱΓ͢ΔͨΊʹ URLηʔϑͳจࣈྻʹΤϯίʔυ͢Δ࢓૊Έ΋͘͠͸ Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺ͹Ε͍ͯΔ ॺ໊Λ͚ͭͨΓ(JSON Web Signature,

   JWS)ɺ҉߸ Խ΋Ͱ͖Δ(JSON Web Encryption, JWE)
   

6. JWT஀ੜͷ͖͔͚ͬ OpenIDϑΝ΢ϯσʔγϣϯʹΑΔOpenID Connectͷ࢓༷ ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹͯ࢓༷ࡦఆ։࢝ Ϣʔβʔ৘ใɺೝূΠϕϯτ৘ใͷड͚౉͠ʹར༻ SAMLͰ࢖ΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ Γ΋༰қʹ࣮૷Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ ςΟτʔΫϯΛ໨ࢦͨ͠ ͦΕͰ΋·ͩ࢓༷ͷҰ෦͔͠࢖ΘΕ͍ͯͳ͍

   
   

7. Ϣʔεέʔε ൃߦऀ/ड৴ऀʹ஫໨ ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
   

8. Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷηογϣϯCookie ϩάΠϯதͷϢʔβʔ৘ใΛ֨ೲ HTTP Responseͱͯ͠ൃߦɺWebϒϥ΢β͕อ ࣋ɺHTTP Requestͱͯ͠ड৴
   

9. Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ ηογϣϯʹඥͮ͘஋(ηογϣϯIDͷϋογϡ஋ͳ Ͳ)Λ֨ೲ HTMLϑΥʔϜ಺ʹࢦఆɺPOSTσʔλͱͯ͠ड৴
   

10. Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ APIΞΫηεʹඞཁͳϢʔβʔ৘ใͳͲΛ֨ೲ ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ ʹ෇༩ͯ͠APIαʔόʔ͕ड৴
    

11. Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ 3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴ ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔ৘ใͷ఻ୡ ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴
    

12. ϝϦοτ/σϝϦοτ ϝϦοτ ॊೈͳσʔλߏ଄Λ΍ΓͱΓՄೳ ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ΋͚ͭΒΕΔ σϝϦοτ ҉߸ԽͰ͸ͳ͍ͷͰத਎Λ೷͚Δ ֨ೲ͢Δ৘ใʹΑͬͯσʔλαΠζ͕૿େ
    

13. ීٴ͍ͯ͠Δཧ༝ ࢓༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦ΋ॆ࣮ ඪ४ԽϓϩτίϧͰͷ࠾༻࣮੷ ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ ཱ֬͞ΕͨϕετϓϥΫςΟε RFC8725 JSON Web Token BCP

    
    

14. JWT vs Cookie? SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ +APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͸͋͘·

    ͰΤϯίʔυํ๏ͳͷͰ࿩͕·ͱ·Βͳ͍ ಺แܕ vs ηογϣϯID΋͘͠͸จࣈྻ + HTTP CookieͷଐੑͱͷൺֱͳͲ੔ཧ͕ඞཁ
    

15. JWT = εςʔτϨε? JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͸΋͍ͬͨͳ͍ ৘ใΛ಺แ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ রͷͨΊͷΩʔΛ࣋ͬͯ΋ྑ͍ σʔλετΞͱͷ૊Έ߹ΘͤΛߟྀ͢Δͱ෯޿͍ Ϣʔεέʔεʹద༻Մೳ

    
    

16. ࢓༷ղઆ
    

17. RFCs (7515 ~ 7519) αʔϏεɺγεςϜؒͷ΍ΓͱΓʹඞཁͳϝλσʔλ͸ʁ -> RFC7519 JSON Web Token

    ॺ໊ؔ࿈(ੜ੒ɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON Web Signature ҉߸Խ -> RFC7516 JSON Web Encryption ҉߸Խ΍ॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms
    

18. RFC7515 JSON Web Signature
    

19. ͱ͋Δจࣈྻ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ 4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
    

20. ࢲʹ͸͜͏ݟ͑·͢ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
    

21. ͜ͷจࣈྻͷਖ਼ମ RFC7515 JSON Web Signature JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ

    γϦΞϥΠζܗࣜ ෳ਺ͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ ͍͏΋ͷ΋͋Δ͕࢖ΘΕ͍ͯΔͷ͸ݟ͔͚ͳ͍
    

22. Header eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
     Encoded

    header

23. Header Base64 URL Encode͞ΕͨJWS Header {\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"} JWSࣗମͷछྨ΍ॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ
    

    {“͔Β࢝·Δ෦෼͕eyJͱͳΔ

24. Payload eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
     Encoded

    payload

25. Payload Base64 URL Encode͞ΕͨJWS Payload {\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http:// example.com/is_root\":true} Payload͸JSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ

    ϨʔϜ(ύϥϝʔλ)ͷ஋͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ
    

26. Signature eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
     Encoded

    signature

27. Signature Base64 URL Encode͞ΕͨJWS Signature Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠΋ͷ

    ΛBase Stringͱͯ͠ར༻(໘౗ͳਖ਼نԽ͸ෆཁ) ͜ͷ஋Λੜ੒͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ
    

28. RFC7519 JSON Web Token
    

29. JWTΫϨʔϜ ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ “jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻. “iss” : ൃߦऀͷࣝผࢠ.υϝΠϯ΍αʔϏε಺ࣝผࢠ. “sub” :

    JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ. “aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ
    

30. JWTΫϨʔϜ ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ “iat” : ൃߦ೔࣌ “exp” : ༗ޮظݶ “nbf” :

    ༗ޮظݶͷ։࢝೔࣌
    

31. JWTΫϨʔϜͷྫ (OIDC)
    

32. JWTΫϨʔϜ શͯར༻ඞਢͰ͸ͳ͍ : ίϯςΩετʹΑͬͯબ୒ ϥΠϒϥϦʹΑͬͯ͸ݕূػೳΛ͍࣋ͬͯΔ΋ͷ΋ ݕূͷཻ౓ͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝ͸ඞཁ
    

33. RFC7518 JSON Web Algorithms
    

34. ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX

    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA
     ϋογϡؔ਺ + ڞ༗伴Ͱॺ໊Λੜ੒ ൃߦɺݕূ͕ಉҰͷ৔߹ͳͲͰར༻

35. ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX

    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA
     RSAॺ໊ ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ RS256͕Α͘࢖ΘΕ͍ͯΔ͕…

36. ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX

    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA
     ପԁۂઢॺ໊ ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ ࠷ۙͷϓϩτίϧͰ͸ESܥ͕ਓؾ

37. ΞϧΰϦζϜͷ࢖͍෼͚ ൃߦ/ड৴͕ಉҰ : HSXXX ڞ༗ൿີ伴Λ҆શʹ؅ཧ͢Δ ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX

    ൃߦଆ͕ड৴ଆʹެ։伴Λ౉͢ ৔߹ʹΑͬͯ͸͓ޓ͍ʹެ։伴Λ౉͠߹͏
    

38. RFC7517 JSON Web Key
    

39. 伴ʹؔ͢Δ࢓༷ 伴ͷදݱ 伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴 伴ͷηοτͷදݱ ϩʔςʔγϣϯ αϙʔτ͢ΔΞϧΰϦζϜͷมߋ
    

40. 伴දݱͷͨΊͷύϥϝʔλ “kty” : 伴ͷछྨ “RSA”, “EC”, “oct” “use” : “sig”

    “key_ops” : “sign”, “verify” “alg” : “RS256”, … , “PS256”, … , “ES256”, … “kid” : 伴ͷࣝผࢠ “x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈
    

41. 伴ͷදݱ : ରশ伴
    

42. 伴ͷදݱ : ൿີ伴(RSA)
    

43. 伴ͷදݱ : ެ։伴(RSA)
    

44. 伴ͷදݱ : ެ։伴(ପԁۂઢ)
    

45. 伴ηοτͷදݱ (Google)
    

46. Ϣʔεέʔε ༗ޮͳެ։伴৘ใΛެ։ jwks_url : JSON ܗࣜͰ伴৘ใͷηοτΛฦ͢ ઃఆϑΝΠϧͰͷอ࣋ ൿີ伴
    

47. JWT(JWS)࣮૷ͷϙΠϯτ
    

48. RFC8725 JSON Web Token BCP
     https://qiita.com/ritou/items/71e58fbc0c5605ec61cb

49. JSON Web SignatureΛ؆୯͔ͭ҆શʹ ࢖͏ͨΊͷkid/typύϥϝʔλͷ࢖͍ํ
     https://ritou.hatenablog.com/entry/2020/03/31/142550

50. JWT(JWS)Λ҆શʹ࢖͏ͨΊ ͷϙΠϯτ PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ
    

51. JWT(JWS)Λ҆શʹ࢖͏ͨΊ ͷϙΠϯτ PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ) ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻) ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ
    

52. PayloadʹؚΉ৘ใΛΑ͘ݕ ౼͢Δ ࣗॗ
    

53. ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷ஋ΛͲ͔͜ΒҾ͔͘ Headerͷalgύϥϝʔλͷ஋Λૉ௚ʹ࢖͏ͱ߈ܸΛड͚ΔڪΕ noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ RS256 -> HS256 Ͱެ։伴ͷϋογϡ஋Λࢦఆ͞ΕͨΓ ؅ཧ͍ͯ͠Δ伴ʹඥͮ͘஋Λར༻͠ɺHeaderͷ஋͸ͦͷ஋ͱ ͷൺֱʹཹΊΔ

    
    

54. ༻్ͱॺ໊ݕূʹ஫໨ ༻్ͷදݱͱࢦఆ ॺ໊ੜ੒ɺݕূ༻ͷ伴ͷ؅ཧ ্هͷݕূ
    

55. ༻్ͷදݱͱࢦఆ ࢖͑Δύϥϝʔλ͸ෳ਺͋Δ Header “typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴؅ཧͱ෼཭ “kid” ύϥϝʔλ

    : ༻్͝ͱʹ伴ࣗମΛ෼͚Δ Payload ಠࣗΫϨʔϜ : “usage” ͳͲ
    

56. ༻్ͷදݱͱࢦఆ ͲΕΛ࢖͏͔͸ॊೈʹ൑அ͢΂͖ ػೳ୯ҐͰ伴Λ෼͚ΒΕΔ : Header “kid” 伴पΓ͍͡Εͳ͍͕Header͸͍͡ΕΔ : Header “typ”

    伴पΓ΋Header΋͍͡Εͳ͍ : ಠࣗΫϨʔϜ
    

57. “kid” Λ༻͍ͨ༻్ͷ؅ཧ ༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻ ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ ਓ͕ؒΘ͔Γ΍͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ ྻͱ͔೔෇ͱ͔)” ͱ͍͏idʹ͢Δ

    
    

58. “typ” Λ༻͍ͨ༻్ͷ؅ཧ ॺ໊ݕূલʹ൑ఆͰ͖Δ ϥΠϒϥϦʹΑͬͯ͸ࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯ΋ࣗ ಈͰݕূͰ͖ͳ͍΋ͷ΋͋ΔͷͰ஫ҙ
    

59. ಠࣗΫϨʔϜͷར༻ ॺ໊ݕূޙͷ൑ఆͱͳΔ ࢦఆɺݕূͱ΋ʹಠࣗͷ࣮૷ͱͳΔ
    

60. JWSੜ੒ɺݕূσϞʢ΍Δ࣌ؒͳͦ͞͏ʣ
    

61. ໨త ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ ॺ໊ੜ੒/ݕূΛମݧ ࣮຿Ͱ͸ϥΠϒϥϦΛ࢖͏͜ͱΛ͓קΊ͠·͢ɻ
    

62. ඞཁͳػೳ ͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ ͸഑ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ৔߹΋͋ Γ·͢ɻ Base64 URL Encode / Decode (Paddingͳ͠)

    JSON Encode / Decode HMAC-SHA256
    

63. JWTੜ੒ͷྲྀΕ 1. HeaderΛੜ੒ 2. PayloadΛੜ੒ 3. SignatureΛੜ੒ 4. ࿈݁ͯ͠׬੒
    

    

64. (1) Header ར༻͢ΔHeaderύϥϝʔλ “typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ “alg” :

    “HS256” # HMAC-SHA256 ར༻Λએݴ “kid” : “handson01” # 伴؅ཧΛҙࣝ͢ΔͨΊʹར༻
    

65. (1) Header 1. JSON Encode “{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\": \"handson+JWT\"}” 2. Base64 URL

    Encode “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0”
    

66. (2) Payload ૹΓ͍ͨσʔλ “Foo”:”Bar” “Hoge”:”Fuga”
    

67. (2) Payload 1. JSON Encode "{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}" 2. Base64 URL Encode

    “eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"
    

68. (3) Signature 1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”
    

    

69. (3) Signature 2. Base StringΛHMAC-SHA256ͨ͠஋ΛBase64 URL Encode 伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”

    “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM”
    

70. (4) ׬੒ Base StringͱSignatureͷ஋Λ“.”Ͱ࿈݁͢Δͱ׬੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV MwH6iaLoOpxEZf3KcVM”
    

71. JWTݕূͷྲྀΕ 1. HeaderΛݕূ 2. SignatureΛݕূ 3. (PayloadΛݕূ)
    

72. (1) Header Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ “typ” :

    “handson+JWT” # ظ଴͢Δ஋ͱҰக͢Δ? “kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴? “alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ க͢Δ?
    

73. (2) Signature ੜ੒ͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”
    

74. (2) Signature 2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ HMAC-SHA256ͨ͠஋ΛBase64 URL Encodeͯ͠ൺֱ 伴 :

    “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON” “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM” ※ެ։伴҉߸Λར༻͢Δ৔߹͸ॺ໊ݕূ༻ͷؔ਺Λར༻
    

75. (3) Payload ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒ͹PayloadΛݕূ (ࠓճ͸RFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)
    

76. https://jwt.io/ Ͱ΋ݕূՄೳ