Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JWT Boot Camp 2020

ritou
May 22, 2020

JWT Boot Camp 2020

チーム内勉強会のために作成したJSON Web Tokenについての資料です。

ritou

May 22, 2020
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. JSON Web Token
    boot camp 2020
    ryo.ito (@ritou)


    View full-size slide

  2. ͜ͷࢿྉ͕๬ΉGOAL
    JSON Web Tokenͱ͸ͲΜͳ΋ͷ͔Λཧղ͢Δ
    ৭ʑͳαʔϏεɺγεςϜͰ࢖ΘΕ͍ͯΔJSON Web
    Signatureͷ࢓૊Έʹ͍ͭͯཧղ͢Δ
    Ϣʔεέʔεͱઃܭ/࣮૷ͷϙΠϯτΛ੔ཧ͠ɺۀ຿Ͱ
    ΋҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ


    View full-size slide

  3. JSON Web Token֓ཁ


    View full-size slide

  4. 3'$+40/8FC5PLFO +85

    “JSON Web Token (JWT) is a compact, URL-
    safe means of representing claims to be
    transferred between two parties.”


    View full-size slide

  5. JSON Web Tokenͱ͸
    ͍ΖΜͳσʔλ(ߏ଄Խ͞Εͨ΋ͷ΍όΠφϦ·Ͱ)Λ
    ෳ਺ͷαʔϏεɺγεςϜؒͰ΍ΓͱΓ͢ΔͨΊʹ
    URLηʔϑͳจࣈྻʹΤϯίʔυ͢Δ࢓૊Έ΋͘͠͸
    Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺ͹Ε͍ͯΔ
    ॺ໊Λ͚ͭͨΓ(JSON Web Signature, JWS)ɺ҉߸
    Խ΋Ͱ͖Δ(JSON Web Encryption, JWE)


    View full-size slide

  6. JWT஀ੜͷ͖͔͚ͬ
    OpenIDϑΝ΢ϯσʔγϣϯʹΑΔOpenID Connectͷ࢓༷
    ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹͯ࢓༷ࡦఆ։࢝
    Ϣʔβʔ৘ใɺೝূΠϕϯτ৘ใͷड͚౉͠ʹར༻
    SAMLͰ࢖ΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ
    Γ΋༰қʹ࣮૷Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ
    ςΟτʔΫϯΛ໨ࢦͨ͠
    ͦΕͰ΋·ͩ࢓༷ͷҰ෦͔͠࢖ΘΕ͍ͯͳ͍


    View full-size slide

  7. Ϣʔεέʔε
    ൃߦऀ/ड৴ऀʹ஫໨
    ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴
    ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ


    View full-size slide

  8. Ϣʔεέʔε:
    ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴
    WebΞϓϦέʔγϣϯͷηογϣϯCookie
    ϩάΠϯதͷϢʔβʔ৘ใΛ֨ೲ
    HTTP Responseͱͯ͠ൃߦɺWebϒϥ΢β͕อ
    ࣋ɺHTTP Requestͱͯ͠ड৴


    View full-size slide

  9. Ϣʔεέʔε:
    ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴
    WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ
    ηογϣϯʹඥͮ͘஋(ηογϣϯIDͷϋογϡ஋ͳ
    Ͳ)Λ֨ೲ
    HTMLϑΥʔϜ಺ʹࢦఆɺPOSTσʔλͱͯ͠ड৴


    View full-size slide

  10. Ϣʔεέʔε:
    ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
    Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ
    APIΞΫηεʹඞཁͳϢʔβʔ৘ใͳͲΛ֨ೲ
    ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ
    ʹ෇༩ͯ͠APIαʔόʔ͕ड৴


    View full-size slide

  11. Ϣʔεέʔε:
    ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
    Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ
    3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴
    ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔ৘ใͷ఻ୡ
    ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴


    View full-size slide

  12. ϝϦοτ/σϝϦοτ
    ϝϦοτ
    ॊೈͳσʔλߏ଄Λ΍ΓͱΓՄೳ
    ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ΋͚ͭΒΕΔ
    σϝϦοτ
    ҉߸ԽͰ͸ͳ͍ͷͰத਎Λ೷͚Δ
    ֨ೲ͢Δ৘ใʹΑͬͯσʔλαΠζ͕૿େ


    View full-size slide

  13. ීٴ͍ͯ͠Δཧ༝
    ࢓༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦ΋ॆ࣮
    ඪ४ԽϓϩτίϧͰͷ࠾༻࣮੷
    ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ
    ཱ֬͞ΕͨϕετϓϥΫςΟε
    RFC8725 JSON Web Token BCP


    View full-size slide

  14. JWT vs Cookie?
    SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ
    +APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ
    ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͸͋͘·
    ͰΤϯίʔυํ๏ͳͷͰ࿩͕·ͱ·Βͳ͍
    ಺แܕ vs ηογϣϯID΋͘͠͸จࣈྻ + HTTP
    CookieͷଐੑͱͷൺֱͳͲ੔ཧ͕ඞཁ


    View full-size slide

  15. JWT = εςʔτϨε?
    JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͸΋͍ͬͨͳ͍
    ৘ใΛ಺แ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ
    রͷͨΊͷΩʔΛ࣋ͬͯ΋ྑ͍
    σʔλετΞͱͷ૊Έ߹ΘͤΛߟྀ͢Δͱ෯޿͍
    Ϣʔεέʔεʹద༻Մೳ


    View full-size slide

  16. RFCs (7515 ~ 7519)
    αʔϏεɺγεςϜؒͷ΍ΓͱΓʹඞཁͳϝλσʔλ͸ʁ ->
    RFC7519 JSON Web Token
    ॺ໊ؔ࿈(ੜ੒ɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON
    Web Signature
    ҉߸Խ -> RFC7516 JSON Web Encryption
    ҉߸Խ΍ॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key
    ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms


    View full-size slide

  17. RFC7515 JSON Web Signature


    View full-size slide

  18. ͱ͋Δจࣈྻ
    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi
    OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d
    HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ
    4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk


    View full-size slide

  19. ࢲʹ͸͜͏ݟ͑·͢
    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
    .
    eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH
    A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
    .
    dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk


    View full-size slide

  20. ͜ͷจࣈྻͷਖ਼ମ
    RFC7515 JSON Web Signature
    JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ
    γϦΞϥΠζܗࣜ
    ෳ਺ͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ
    ͍͏΋ͷ΋͋Δ͕࢖ΘΕ͍ͯΔͷ͸ݟ͔͚ͳ͍


    View full-size slide

  21. Header
    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
    .
    eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ
    ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
    .
    dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk


    Encoded header

    View full-size slide

  22. Header
    Base64 URL Encode͞ΕͨJWS Header
    {\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"}
    JWSࣗମͷछྨ΍ॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ


    {“͔Β࢝·Δ෦෼͕eyJͱͳΔ

    View full-size slide

  23. Payload
    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
    .
    eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ
    ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
    .
    dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk


    Encoded payload

    View full-size slide

  24. Payload
    Base64 URL Encode͞ΕͨJWS Payload
    {\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http://
    example.com/is_root\":true}
    Payload͸JSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ
    ϨʔϜ(ύϥϝʔλ)ͷ஋͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ
    ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ


    View full-size slide

  25. Signature
    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
    .
    eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ
    ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
    .
    dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk


    Encoded signature

    View full-size slide

  26. Signature
    Base64 URL Encode͞ΕͨJWS Signature
    Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠΋ͷ
    ΛBase Stringͱͯ͠ར༻(໘౗ͳਖ਼نԽ͸ෆཁ)
    ͜ͷ஋Λੜ੒͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද
    ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ


    View full-size slide

  27. RFC7519 JSON Web Token


    View full-size slide

  28. JWTΫϨʔϜ
    ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ
    “jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻.
    “iss” : ൃߦऀͷࣝผࢠ.υϝΠϯ΍αʔϏε಺ࣝผࢠ.
    “sub” : JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ.
    “aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ


    View full-size slide

  29. JWTΫϨʔϜ
    ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ
    “iat” : ൃߦ೔࣌
    “exp” : ༗ޮظݶ
    “nbf” : ༗ޮظݶͷ։࢝೔࣌


    View full-size slide

  30. JWTΫϨʔϜͷྫ (OIDC)


    View full-size slide

  31. JWTΫϨʔϜ
    શͯར༻ඞਢͰ͸ͳ͍ : ίϯςΩετʹΑͬͯબ୒
    ϥΠϒϥϦʹΑͬͯ͸ݕূػೳΛ͍࣋ͬͯΔ΋ͷ΋
    ݕূͷཻ౓ͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝ͸ඞཁ


    View full-size slide

  32. RFC7518 JSON Web Algorithms


    View full-size slide

  33. ॺ໊༻ΞϧΰϦζϜ
    “none” : ॺ໊ͳ͠
    “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5
    “PS256”, “PS384”, “PS512” : RSASSA-PSS
    “ES256”, “ES384”, “ES512” : ECDSA


    ϋογϡؔ਺ + ڞ༗伴Ͱॺ໊Λੜ੒
    ൃߦɺݕূ͕ಉҰͷ৔߹ͳͲͰར༻

    View full-size slide

  34. ॺ໊༻ΞϧΰϦζϜ
    “none” : ॺ໊ͳ͠
    “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5
    “PS256”, “PS384”, “PS512” : RSASSA-PSS
    “ES256”, “ES384”, “ES512” : ECDSA


    RSAॺ໊
    ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ
    RS256͕Α͘࢖ΘΕ͍ͯΔ͕…

    View full-size slide

  35. ॺ໊༻ΞϧΰϦζϜ
    “none” : ॺ໊ͳ͠
    “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5
    “PS256”, “PS384”, “PS512” : RSASSA-PSS
    “ES256”, “ES384”, “ES512” : ECDSA


    ପԁۂઢॺ໊
    ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ
    ࠷ۙͷϓϩτίϧͰ͸ESܥ͕ਓؾ

    View full-size slide

  36. ΞϧΰϦζϜͷ࢖͍෼͚
    ൃߦ/ड৴͕ಉҰ : HSXXX
    ڞ༗ൿີ伴Λ҆શʹ؅ཧ͢Δ
    ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX
    ൃߦଆ͕ड৴ଆʹެ։伴Λ౉͢
    ৔߹ʹΑͬͯ͸͓ޓ͍ʹެ։伴Λ౉͠߹͏


    View full-size slide

  37. RFC7517 JSON Web Key


    View full-size slide

  38. 伴ʹؔ͢Δ࢓༷
    伴ͷදݱ
    伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴
    伴ͷηοτͷදݱ
    ϩʔςʔγϣϯ
    αϙʔτ͢ΔΞϧΰϦζϜͷมߋ


    View full-size slide

  39. 伴දݱͷͨΊͷύϥϝʔλ
    “kty” : 伴ͷछྨ “RSA”, “EC”, “oct”
    “use” : “sig”
    “key_ops” : “sign”, “verify”
    “alg” : “RS256”, … , “PS256”, … , “ES256”, …
    “kid” : 伴ͷࣝผࢠ
    “x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈


    View full-size slide

  40. 伴ͷදݱ : ରশ伴


    View full-size slide

  41. 伴ͷදݱ : ൿີ伴(RSA)


    View full-size slide

  42. 伴ͷදݱ : ެ։伴(RSA)


    View full-size slide

  43. 伴ͷදݱ : ެ։伴(ପԁۂઢ)


    View full-size slide

  44. 伴ηοτͷදݱ (Google)


    View full-size slide

  45. Ϣʔεέʔε
    ༗ޮͳެ։伴৘ใΛެ։
    jwks_url : JSON ܗࣜͰ伴৘ใͷηοτΛฦ͢
    ઃఆϑΝΠϧͰͷอ࣋
    ൿີ伴


    View full-size slide

  46. JWT(JWS)࣮૷ͷϙΠϯτ


    View full-size slide

  47. RFC8725
    JSON Web Token BCP


    https://qiita.com/ritou/items/71e58fbc0c5605ec61cb

    View full-size slide

  48. JSON Web SignatureΛ؆୯͔ͭ҆શʹ
    ࢖͏ͨΊͷkid/typύϥϝʔλͷ࢖͍ํ


    https://ritou.hatenablog.com/entry/2020/03/31/142550

    View full-size slide

  49. JWT(JWS)Λ҆શʹ࢖͏ͨΊ
    ͷϙΠϯτ
    PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ
    ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏
    ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ
    తʹݕূ͢Δ


    View full-size slide

  50. JWT(JWS)Λ҆શʹ࢖͏ͨΊ
    ͷϙΠϯτ
    PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ)
    ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻)
    ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ
    తʹݕূ͢Δ


    View full-size slide

  51. PayloadʹؚΉ৘ใΛΑ͘ݕ
    ౼͢Δ
    ࣗॗ


    View full-size slide

  52. ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏
    ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷ஋ΛͲ͔͜ΒҾ͔͘
    Headerͷalgύϥϝʔλͷ஋Λૉ௚ʹ࢖͏ͱ߈ܸΛड͚ΔڪΕ
    noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ
    RS256 -> HS256 Ͱެ։伴ͷϋογϡ஋Λࢦఆ͞ΕͨΓ
    ؅ཧ͍ͯ͠Δ伴ʹඥͮ͘஋Λར༻͠ɺHeaderͷ஋͸ͦͷ஋ͱ
    ͷൺֱʹཹΊΔ


    View full-size slide

  53. ༻్ͱॺ໊ݕূʹ஫໨
    ༻్ͷදݱͱࢦఆ
    ॺ໊ੜ੒ɺݕূ༻ͷ伴ͷ؅ཧ
    ্هͷݕূ


    View full-size slide

  54. ༻్ͷදݱͱࢦఆ
    ࢖͑Δύϥϝʔλ͸ෳ਺͋Δ
    Header
    “typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴؅ཧͱ෼཭
    “kid” ύϥϝʔλ : ༻్͝ͱʹ伴ࣗମΛ෼͚Δ
    Payload
    ಠࣗΫϨʔϜ : “usage” ͳͲ


    View full-size slide

  55. ༻్ͷදݱͱࢦఆ
    ͲΕΛ࢖͏͔͸ॊೈʹ൑அ͢΂͖
    ػೳ୯ҐͰ伴Λ෼͚ΒΕΔ : Header “kid”
    伴पΓ͍͡Εͳ͍͕Header͸͍͡ΕΔ : Header “typ”
    伴पΓ΋Header΋͍͡Εͳ͍ : ಠࣗΫϨʔϜ


    View full-size slide

  56. “kid” Λ༻͍ͨ༻్ͷ؅ཧ
    ༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻
    ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ
    ਓ͕ؒΘ͔Γ΍͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ
    ྻͱ͔೔෇ͱ͔)” ͱ͍͏idʹ͢Δ


    View full-size slide

  57. “typ” Λ༻͍ͨ༻్ͷ؅ཧ
    ॺ໊ݕূલʹ൑ఆͰ͖Δ
    ϥΠϒϥϦʹΑͬͯ͸ࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯ΋ࣗ
    ಈͰݕূͰ͖ͳ͍΋ͷ΋͋ΔͷͰ஫ҙ


    View full-size slide

  58. ಠࣗΫϨʔϜͷར༻
    ॺ໊ݕূޙͷ൑ఆͱͳΔ
    ࢦఆɺݕূͱ΋ʹಠࣗͷ࣮૷ͱͳΔ


    View full-size slide

  59. JWSੜ੒ɺݕূσϞʢ΍Δ࣌ؒͳͦ͞͏ʣ


    View full-size slide

  60. ໨త
    ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ
    ॺ໊ੜ੒/ݕূΛମݧ
    ࣮຿Ͱ͸ϥΠϒϥϦΛ࢖͏͜ͱΛ͓קΊ͠·͢ɻ


    View full-size slide

  61. ඞཁͳػೳ
    ͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ
    ͸഑ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ৔߹΋͋
    Γ·͢ɻ
    Base64 URL Encode / Decode (Paddingͳ͠)
    JSON Encode / Decode
    HMAC-SHA256


    View full-size slide

  62. JWTੜ੒ͷྲྀΕ
    1. HeaderΛੜ੒
    2. PayloadΛੜ੒
    3. SignatureΛੜ੒
    4. ࿈݁ͯ͠׬੒


    View full-size slide

  63. (1) Header
    ར༻͢ΔHeaderύϥϝʔλ
    “typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ
    “alg” : “HS256” # HMAC-SHA256 ར༻Λએݴ
    “kid” : “handson01” # 伴؅ཧΛҙࣝ͢ΔͨΊʹར༻


    View full-size slide

  64. (1) Header
    1. JSON Encode
    “{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\":
    \"handson+JWT\"}”
    2. Base64 URL Encode
    “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
    sInR5cCI6ImhhbmRzb24rSldUIn0”


    View full-size slide

  65. (2) Payload
    ૹΓ͍ͨσʔλ
    “Foo”:”Bar”
    “Hoge”:”Fuga”


    View full-size slide

  66. (2) Payload
    1. JSON Encode
    "{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}"
    2. Base64 URL Encode
    “eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"


    View full-size slide

  67. (3) Signature
    1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞੒
    “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
    sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi
    LCJIb2dlIjoiRnVnYSJ9”


    View full-size slide

  68. (3) Signature
    2. Base StringΛHMAC-SHA256ͨ͠஋ΛBase64 URL
    Encode
    伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
    “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc
    VM”


    View full-size slide

  69. (4) ׬੒
    Base StringͱSignatureͷ஋Λ“.”Ͱ࿈݁͢Δͱ׬੒
    “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
    sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi
    LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV
    MwH6iaLoOpxEZf3KcVM”


    View full-size slide

  70. JWTݕূͷྲྀΕ
    1. HeaderΛݕূ
    2. SignatureΛݕূ
    3. (PayloadΛݕূ)


    View full-size slide

  71. (1) Header
    Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ
    “typ” : “handson+JWT” # ظ଴͢Δ஋ͱҰக͢Δ?
    “kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴?
    “alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ
    க͢Δ?


    View full-size slide

  72. (2) Signature
    ੜ੒ͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base
    StringΛ࡞੒
    “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
    sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi
    LCJIb2dlIjoiRnVnYSJ9”


    View full-size slide

  73. (2) Signature
    2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ
    HMAC-SHA256ͨ͠஋ΛBase64 URL Encodeͯ͠ൺֱ
    伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
    “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc
    VM”
    ※ެ։伴҉߸Λར༻͢Δ৔߹͸ॺ໊ݕূ༻ͷؔ਺Λར༻


    View full-size slide

  74. (3) Payload
    ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒ͹PayloadΛݕূ
    (ࠓճ͸RFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ
    ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)


    View full-size slide

  75. https://jwt.io/ Ͱ΋ݕূՄೳ


    View full-size slide