Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JWT Boot Camp 2020
Search
ritou
May 22, 2020
Technology
4
7.7k
JWT Boot Camp 2020
チーム内勉強会のために作成したJSON Web Tokenについての資料です。
ritou
May 22, 2020
Tweet
Share
More Decks by ritou
See All by ritou
“パスワードレス認証への道" ユーザー認証の変遷とパスキーの関係
ritou
2
4.6k
パスキー導入の課題と ベストプラクティス、今後の展望
ritou
12
5.6k
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 + α
ritou
1
120
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 @ AXIES 2024
ritou
4
1.7k
OIDF-J EIWG 振り返り
ritou
2
67
そのQRコード、安全ですか? / Cross Device Flow
ritou
4
590
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
ritou
3
680
Passkeys and Identity Federation @ OpenID Summit Tokyo 2024
ritou
2
860
Webアプリ開発者向け パスキー対応の始め方
ritou
4
6.7k
Other Decks in Technology
See All in Technology
データエンジニアがこの先生きのこるには...?
10xinc
0
440
stupid jj tricks
indirect
0
7.9k
Pythonによる契約プログラミング入門 / PyCon JP 2025
7pairs
5
2.5k
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
9k
SwiftUIのGeometryReaderとScrollViewを基礎から応用まで学び直す:設計と活用事例
fumiyasac0921
0
140
"複雑なデータ処理 × 静的サイト" を両立させる、楽をするRails運用 / A low-effort Rails workflow that combines “Complex Data Processing × Static Sites”
hogelog
3
1.9k
Why Governance Matters: The Key to Reducing Risk Without Slowing Down
sarahjwells
0
100
生成AIとM5Stack / M5 Japan Tour 2025 Autumn 東京
you
PRO
0
200
Where will it converge?
ibknadedeji
0
170
Pure Goで体験するWasmの未来
askua
1
170
Optuna DashboardにおけるPLaMo2連携機能の紹介 / PFN LLM セミナー
pfn
PRO
1
870
神回のメカニズムと再現方法/Mechanisms and Playbook for Kamikai scrumat2025
moriyuya
4
510
Featured
See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
For a Future-Friendly Web
brad_frost
180
9.9k
Making the Leap to Tech Lead
cromwellryan
135
9.5k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
46
7.6k
Designing for humans not robots
tammielis
254
25k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
132
19k
How STYLIGHT went responsive
nonsquared
100
5.8k
Speed Design
sergeychernyshev
32
1.1k
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
Building Adaptive Systems
keathley
43
2.8k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Transcript
JSON Web Token boot camp 2020 ryo.ito (@ritou)
͜ͷࢿྉ͕ΉGOAL JSON Web TokenͱͲΜͳͷ͔Λཧղ͢Δ ৭ʑͳαʔϏεɺγεςϜͰΘΕ͍ͯΔJSON Web SignatureͷΈʹ͍ͭͯཧղ͢Δ Ϣʔεέʔεͱઃܭ/࣮ͷϙΠϯτΛཧ͠ɺۀͰ ҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ
JSON Web Token֓ཁ
3'$+40/8FC5PLFO +85 “JSON Web Token (JWT) is a compact, URL-
safe means of representing claims to be transferred between two parties.”
JSON Web Tokenͱ ͍ΖΜͳσʔλ(ߏԽ͞ΕͨͷόΠφϦ·Ͱ)Λ ෳͷαʔϏεɺγεςϜؒͰΓͱΓ͢ΔͨΊʹ URLηʔϑͳจࣈྻʹΤϯίʔυ͢ΔΈ͘͠ Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺΕ͍ͯΔ ॺ໊Λ͚ͭͨΓ(JSON Web Signature,
JWS)ɺ҉߸ ԽͰ͖Δ(JSON Web Encryption, JWE)
JWTੜͷ͖͔͚ͬ OpenIDϑΝϯσʔγϣϯʹΑΔOpenID Connectͷ༷ ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹ༷ͯࡦఆ։࢝ ϢʔβʔใɺೝূΠϕϯτใͷड͚͠ʹར༻ SAMLͰΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ Γ༰қʹ࣮Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ ςΟτʔΫϯΛࢦͨ͠ ͦΕͰ·༷ͩͷҰ෦͔͠ΘΕ͍ͯͳ͍
Ϣʔεέʔε ൃߦऀ/ड৴ऀʹ ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷηογϣϯCookie ϩάΠϯதͷϢʔβʔใΛ֨ೲ HTTP Responseͱͯ͠ൃߦɺWebϒϥβ͕อ ࣋ɺHTTP Requestͱͯ͠ड৴
Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ ηογϣϯʹඥͮ͘(ηογϣϯIDͷϋογϡͳ Ͳ)Λ֨ೲ HTMLϑΥʔϜʹࢦఆɺPOSTσʔλͱͯ͠ड৴
Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ APIΞΫηεʹඞཁͳϢʔβʔใͳͲΛ֨ೲ ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ ʹ༩ͯ͠APIαʔόʔ͕ड৴
Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ 3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴ ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔใͷୡ ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴
ϝϦοτ/σϝϦοτ ϝϦοτ ॊೈͳσʔλߏΛΓͱΓՄೳ ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ͚ͭΒΕΔ σϝϦοτ ҉߸ԽͰͳ͍ͷͰதΛ͚Δ ֨ೲ͢ΔใʹΑͬͯσʔλαΠζ͕૿େ
ීٴ͍ͯ͠Δཧ༝ ༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦॆ࣮ ඪ४ԽϓϩτίϧͰͷ࠾༻࣮ ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ ཱ֬͞ΕͨϕετϓϥΫςΟε RFC8725 JSON Web Token BCP
JWT vs Cookie? SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ +APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͋͘·
ͰΤϯίʔυํ๏ͳͷͰ͕·ͱ·Βͳ͍ แܕ vs ηογϣϯID͘͠จࣈྻ + HTTP CookieͷଐੑͱͷൺֱͳͲཧ͕ඞཁ
JWT = εςʔτϨε? JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͍ͬͨͳ͍ ใΛแ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ রͷͨΊͷΩʔΛ࣋ͬͯྑ͍ σʔλετΞͱͷΈ߹ΘͤΛߟྀ͢Δͱ෯͍ Ϣʔεέʔεʹద༻Մೳ
༷ղઆ
RFCs (7515 ~ 7519) αʔϏεɺγεςϜؒͷΓͱΓʹඞཁͳϝλσʔλʁ -> RFC7519 JSON Web Token
ॺ໊ؔ࿈(ੜɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON Web Signature ҉߸Խ -> RFC7516 JSON Web Encryption ҉߸Խॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms
RFC7515 JSON Web Signature
ͱ͋Δจࣈྻ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ 4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ࢲʹ͜͏ݟ͑·͢ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
͜ͷจࣈྻͷਖ਼ମ RFC7515 JSON Web Signature JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ
γϦΞϥΠζܗࣜ ෳͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ ͍͏ͷ͋Δ͕ΘΕ͍ͯΔͷݟ͔͚ͳ͍
Header eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
header
Header Base64 URL Encode͞ΕͨJWS Header {\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"} JWSࣗମͷछྨॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ
{“͔Β࢝·Δ෦͕eyJͱͳΔ
Payload eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
payload
Payload Base64 URL Encode͞ΕͨJWS Payload {\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http:// example.com/is_root\":true} PayloadJSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ
ϨʔϜ(ύϥϝʔλ)ͷ͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ
Signature eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
signature
Signature Base64 URL Encode͞ΕͨJWS Signature Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠ͷ
ΛBase Stringͱͯ͠ར༻(໘ͳਖ਼نԽෆཁ) ͜ͷΛੜ͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ
RFC7519 JSON Web Token
JWTΫϨʔϜ ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ “jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻. “iss” : ൃߦऀͷࣝผࢠ.υϝΠϯαʔϏεࣝผࢠ. “sub” :
JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ. “aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ
JWTΫϨʔϜ ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ “iat” : ൃߦ࣌ “exp” : ༗ޮظݶ “nbf” :
༗ޮظݶͷ։࢝࣌
JWTΫϨʔϜͷྫ (OIDC)
JWTΫϨʔϜ શͯར༻ඞਢͰͳ͍ : ίϯςΩετʹΑͬͯબ ϥΠϒϥϦʹΑͬͯݕূػೳΛ͍࣋ͬͯΔͷ ݕূͷཻͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝඞཁ
RFC7518 JSON Web Algorithms
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA ϋογϡؔ + ڞ༗伴Ͱॺ໊Λੜ ൃߦɺݕূ͕ಉҰͷ߹ͳͲͰར༻
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA RSAॺ໊ ൿີ伴Ͱॺ໊ੜɺެ։伴Ͱݕূ RS256͕Α͘ΘΕ͍ͯΔ͕…
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA ପԁۂઢॺ໊ ൿີ伴Ͱॺ໊ੜɺެ։伴Ͱݕূ ࠷ۙͷϓϩτίϧͰESܥ͕ਓؾ
ΞϧΰϦζϜͷ͍͚ ൃߦ/ड৴͕ಉҰ : HSXXX ڞ༗ൿີ伴Λ҆શʹཧ͢Δ ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX
ൃߦଆ͕ड৴ଆʹެ։伴Λ͢ ߹ʹΑ͓ͬͯޓ͍ʹެ։伴Λ͠߹͏
RFC7517 JSON Web Key
伴ʹؔ͢Δ༷ 伴ͷදݱ 伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴 伴ͷηοτͷදݱ ϩʔςʔγϣϯ αϙʔτ͢ΔΞϧΰϦζϜͷมߋ
伴දݱͷͨΊͷύϥϝʔλ “kty” : 伴ͷछྨ “RSA”, “EC”, “oct” “use” : “sig”
“key_ops” : “sign”, “verify” “alg” : “RS256”, … , “PS256”, … , “ES256”, … “kid” : 伴ͷࣝผࢠ “x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈
伴ͷදݱ : ରশ伴
伴ͷදݱ : ൿີ伴(RSA)
伴ͷදݱ : ެ։伴(RSA)
伴ͷදݱ : ެ։伴(ପԁۂઢ)
伴ηοτͷදݱ (Google)
Ϣʔεέʔε ༗ޮͳެ։伴ใΛެ։ jwks_url : JSON ܗࣜͰ伴ใͷηοτΛฦ͢ ઃఆϑΝΠϧͰͷอ࣋ ൿີ伴
JWT(JWS)࣮ͷϙΠϯτ
RFC8725 JSON Web Token BCP https://qiita.com/ritou/items/71e58fbc0c5605ec61cb
JSON Web SignatureΛ؆୯͔ͭ҆શʹ ͏ͨΊͷkid/typύϥϝʔλͷ͍ํ https://ritou.hatenablog.com/entry/2020/03/31/142550
JWT(JWS)Λ҆શʹ͏ͨΊ ͷϙΠϯτ PayloadʹؚΉใΛΑ͘ݕ౼͢Δ ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ෳͷJWT(JWS)Λར༻͢Δࡍ༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ
JWT(JWS)Λ҆શʹ͏ͨΊ ͷϙΠϯτ PayloadʹؚΉใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ) ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻) ෳͷJWT(JWS)Λར༻͢Δࡍ༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ
PayloadʹؚΉใΛΑ͘ݕ ౼͢Δ ࣗॗ
ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷΛͲ͔͜ΒҾ͔͘ HeaderͷalgύϥϝʔλͷΛૉʹ͏ͱ߈ܸΛड͚ΔڪΕ noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ RS256 -> HS256 Ͱެ։伴ͷϋογϡΛࢦఆ͞ΕͨΓ ཧ͍ͯ͠Δ伴ʹඥͮ͘Λར༻͠ɺHeaderͷͦͷͱ ͷൺֱʹཹΊΔ
༻్ͱॺ໊ݕূʹ ༻్ͷදݱͱࢦఆ ॺ໊ੜɺݕূ༻ͷ伴ͷཧ ্هͷݕূ
༻్ͷදݱͱࢦఆ ͑Δύϥϝʔλෳ͋Δ Header “typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴ཧͱ “kid” ύϥϝʔλ
: ༻్͝ͱʹ伴ࣗମΛ͚Δ Payload ಠࣗΫϨʔϜ : “usage” ͳͲ
༻్ͷදݱͱࢦఆ ͲΕΛ͏͔ॊೈʹஅ͖͢ ػೳ୯ҐͰ伴Λ͚ΒΕΔ : Header “kid” 伴पΓ͍͡Εͳ͍͕Header͍͡ΕΔ : Header “typ”
伴पΓHeader͍͡Εͳ͍ : ಠࣗΫϨʔϜ
“kid” Λ༻͍ͨ༻్ͷཧ ༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻ ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ ਓ͕ؒΘ͔Γ͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ ྻͱ͔ͱ͔)” ͱ͍͏idʹ͢Δ
“typ” Λ༻͍ͨ༻్ͷཧ ॺ໊ݕূલʹఆͰ͖Δ ϥΠϒϥϦʹΑͬͯࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯࣗ ಈͰݕূͰ͖ͳ͍ͷ͋ΔͷͰҙ
ಠࣗΫϨʔϜͷར༻ ॺ໊ݕূޙͷఆͱͳΔ ࢦఆɺݕূͱʹಠࣗͷ࣮ͱͳΔ
JWSੜɺݕূσϞʢΔ࣌ؒͳͦ͞͏ʣ
త ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ ॺ໊ੜ/ݕূΛମݧ ࣮ͰϥΠϒϥϦΛ͏͜ͱΛ͓קΊ͠·͢ɻ
ඞཁͳػೳ ͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ߹͋ Γ·͢ɻ Base64 URL Encode / Decode (Paddingͳ͠)
JSON Encode / Decode HMAC-SHA256
JWTੜͷྲྀΕ 1. HeaderΛੜ 2. PayloadΛੜ 3. SignatureΛੜ 4. ࿈݁ͯ͠
(1) Header ར༻͢ΔHeaderύϥϝʔλ “typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ “alg” :
“HS256” # HMAC-SHA256 ར༻Λએݴ “kid” : “handson01” # 伴ཧΛҙࣝ͢ΔͨΊʹར༻
(1) Header 1. JSON Encode “{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\": \"handson+JWT\"}” 2. Base64 URL
Encode “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0”
(2) Payload ૹΓ͍ͨσʔλ “Foo”:”Bar” “Hoge”:”Fuga”
(2) Payload 1. JSON Encode "{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}" 2. Base64 URL Encode
“eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"
(3) Signature 1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”
(3) Signature 2. Base StringΛHMAC-SHA256ͨ͠ΛBase64 URL Encode 伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
“Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM”
(4) Base StringͱSignatureͷΛ“.”Ͱ࿈݁͢Δͱ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV MwH6iaLoOpxEZf3KcVM”
JWTݕূͷྲྀΕ 1. HeaderΛݕূ 2. SignatureΛݕূ 3. (PayloadΛݕূ)
(1) Header Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ “typ” :
“handson+JWT” # ظ͢ΔͱҰக͢Δ? “kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴? “alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ க͢Δ?
(2) Signature ੜͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”
(2) Signature 2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ HMAC-SHA256ͨ͠ΛBase64 URL Encodeͯ͠ൺֱ 伴 :
“THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON” “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM” ※ެ։伴҉߸Λར༻͢Δ߹ॺ໊ݕূ༻ͷؔΛར༻
(3) Payload ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒPayloadΛݕূ (ࠓճRFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)
https://jwt.io/ ͰݕূՄೳ