Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JWT Boot Camp 2020

ritou
May 22, 2020

JWT Boot Camp 2020

チーム内勉強会のために作成したJSON Web Tokenについての資料です。

ritou

May 22, 2020
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. JSON Web Token boot camp 2020 ryo.ito (@ritou)  

  2. ͜ͷࢿྉ͕๬ΉGOAL JSON Web Tokenͱ͸ͲΜͳ΋ͷ͔Λཧղ͢Δ ৭ʑͳαʔϏεɺγεςϜͰ࢖ΘΕ͍ͯΔJSON Web Signatureͷ࢓૊Έʹ͍ͭͯཧղ͢Δ Ϣʔεέʔεͱઃܭ/࣮૷ͷϙΠϯτΛ੔ཧ͠ɺۀ຿Ͱ ΋҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ 

    
  3. JSON Web Token֓ཁ  

  4. 3'$+40/8FC5PLFO +85 “JSON Web Token (JWT) is a compact, URL-

    safe means of representing claims to be transferred between two parties.”  
  5. JSON Web Tokenͱ͸ ͍ΖΜͳσʔλ(ߏ଄Խ͞Εͨ΋ͷ΍όΠφϦ·Ͱ)Λ ෳ਺ͷαʔϏεɺγεςϜؒͰ΍ΓͱΓ͢ΔͨΊʹ URLηʔϑͳจࣈྻʹΤϯίʔυ͢Δ࢓૊Έ΋͘͠͸ Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺ͹Ε͍ͯΔ ॺ໊Λ͚ͭͨΓ(JSON Web Signature,

    JWS)ɺ҉߸ Խ΋Ͱ͖Δ(JSON Web Encryption, JWE)  
  6. JWT஀ੜͷ͖͔͚ͬ OpenIDϑΝ΢ϯσʔγϣϯʹΑΔOpenID Connectͷ࢓༷ ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹͯ࢓༷ࡦఆ։࢝ Ϣʔβʔ৘ใɺೝূΠϕϯτ৘ใͷड͚౉͠ʹར༻ SAMLͰ࢖ΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ Γ΋༰қʹ࣮૷Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ ςΟτʔΫϯΛ໨ࢦͨ͠ ͦΕͰ΋·ͩ࢓༷ͷҰ෦͔͠࢖ΘΕ͍ͯͳ͍

     
  7. Ϣʔεέʔε ൃߦऀ/ड৴ऀʹ஫໨ ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ  

  8. Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷηογϣϯCookie ϩάΠϯதͷϢʔβʔ৘ใΛ֨ೲ HTTP Responseͱͯ͠ൃߦɺWebϒϥ΢β͕อ ࣋ɺHTTP Requestͱͯ͠ड৴  

  9. Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ ηογϣϯʹඥͮ͘஋(ηογϣϯIDͷϋογϡ஋ͳ Ͳ)Λ֨ೲ HTMLϑΥʔϜ಺ʹࢦఆɺPOSTσʔλͱͯ͠ड৴  

  10. Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ APIΞΫηεʹඞཁͳϢʔβʔ৘ใͳͲΛ֨ೲ ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ ʹ෇༩ͯ͠APIαʔόʔ͕ड৴  

  11. Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ 3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴ ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔ৘ใͷ఻ୡ ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴  

  12. ϝϦοτ/σϝϦοτ ϝϦοτ ॊೈͳσʔλߏ଄Λ΍ΓͱΓՄೳ ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ΋͚ͭΒΕΔ σϝϦοτ ҉߸ԽͰ͸ͳ͍ͷͰத਎Λ೷͚Δ ֨ೲ͢Δ৘ใʹΑͬͯσʔλαΠζ͕૿େ  

  13. ීٴ͍ͯ͠Δཧ༝ ࢓༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦ΋ॆ࣮ ඪ४ԽϓϩτίϧͰͷ࠾༻࣮੷ ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ ཱ֬͞ΕͨϕετϓϥΫςΟε RFC8725 JSON Web Token BCP

     
  14. JWT vs Cookie? SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ +APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͸͋͘·

    ͰΤϯίʔυํ๏ͳͷͰ࿩͕·ͱ·Βͳ͍ ಺แܕ vs ηογϣϯID΋͘͠͸จࣈྻ + HTTP CookieͷଐੑͱͷൺֱͳͲ੔ཧ͕ඞཁ  
  15. JWT = εςʔτϨε? JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͸΋͍ͬͨͳ͍ ৘ใΛ಺แ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ রͷͨΊͷΩʔΛ࣋ͬͯ΋ྑ͍ σʔλετΞͱͷ૊Έ߹ΘͤΛߟྀ͢Δͱ෯޿͍ Ϣʔεέʔεʹద༻Մೳ

     
  16. ࢓༷ղઆ  

  17. RFCs (7515 ~ 7519) αʔϏεɺγεςϜؒͷ΍ΓͱΓʹඞཁͳϝλσʔλ͸ʁ -> RFC7519 JSON Web Token

    ॺ໊ؔ࿈(ੜ੒ɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON Web Signature ҉߸Խ -> RFC7516 JSON Web Encryption ҉߸Խ΍ॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms  
  18. RFC7515 JSON Web Signature  

  19. ͱ͋Δจࣈྻ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ 4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk  

  20. ࢲʹ͸͜͏ݟ͑·͢ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk  

  21. ͜ͷจࣈྻͷਖ਼ମ RFC7515 JSON Web Signature JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ

    γϦΞϥΠζܗࣜ ෳ਺ͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ ͍͏΋ͷ΋͋Δ͕࢖ΘΕ͍ͯΔͷ͸ݟ͔͚ͳ͍  
  22. Header eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk   Encoded

    header
  23. Header Base64 URL Encode͞ΕͨJWS Header {\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"} JWSࣗମͷछྨ΍ॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ  

    {“͔Β࢝·Δ෦෼͕eyJͱͳΔ
  24. Payload eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk   Encoded

    payload
  25. Payload Base64 URL Encode͞ΕͨJWS Payload {\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http:// example.com/is_root\":true} Payload͸JSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ

    ϨʔϜ(ύϥϝʔλ)ͷ஋͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ  
  26. Signature eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk   Encoded

    signature
  27. Signature Base64 URL Encode͞ΕͨJWS Signature Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠΋ͷ

    ΛBase Stringͱͯ͠ར༻(໘౗ͳਖ਼نԽ͸ෆཁ) ͜ͷ஋Λੜ੒͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ  
  28. RFC7519 JSON Web Token  

  29. JWTΫϨʔϜ ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ “jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻. “iss” : ൃߦऀͷࣝผࢠ.υϝΠϯ΍αʔϏε಺ࣝผࢠ. “sub” :

    JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ. “aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ  
  30. JWTΫϨʔϜ ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ “iat” : ൃߦ೔࣌ “exp” : ༗ޮظݶ “nbf” :

    ༗ޮظݶͷ։࢝೔࣌  
  31. JWTΫϨʔϜͷྫ (OIDC)  

  32. JWTΫϨʔϜ શͯར༻ඞਢͰ͸ͳ͍ : ίϯςΩετʹΑͬͯબ୒ ϥΠϒϥϦʹΑͬͯ͸ݕূػೳΛ͍࣋ͬͯΔ΋ͷ΋ ݕূͷཻ౓ͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝ͸ඞཁ  

  33. RFC7518 JSON Web Algorithms  

  34. ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX

    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA   ϋογϡؔ਺ + ڞ༗伴Ͱॺ໊Λੜ੒ ൃߦɺݕূ͕ಉҰͷ৔߹ͳͲͰར༻
  35. ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX

    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA   RSAॺ໊ ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ RS256͕Α͘࢖ΘΕ͍ͯΔ͕…
  36. ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX

    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA   ପԁۂઢॺ໊ ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ ࠷ۙͷϓϩτίϧͰ͸ESܥ͕ਓؾ
  37. ΞϧΰϦζϜͷ࢖͍෼͚ ൃߦ/ड৴͕ಉҰ : HSXXX ڞ༗ൿີ伴Λ҆શʹ؅ཧ͢Δ ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX

    ൃߦଆ͕ड৴ଆʹެ։伴Λ౉͢ ৔߹ʹΑͬͯ͸͓ޓ͍ʹެ։伴Λ౉͠߹͏  
  38. RFC7517 JSON Web Key  

  39. 伴ʹؔ͢Δ࢓༷ 伴ͷදݱ 伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴 伴ͷηοτͷදݱ ϩʔςʔγϣϯ αϙʔτ͢ΔΞϧΰϦζϜͷมߋ  

  40. 伴දݱͷͨΊͷύϥϝʔλ “kty” : 伴ͷछྨ “RSA”, “EC”, “oct” “use” : “sig”

    “key_ops” : “sign”, “verify” “alg” : “RS256”, … , “PS256”, … , “ES256”, … “kid” : 伴ͷࣝผࢠ “x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈  
  41. 伴ͷදݱ : ରশ伴  

  42. 伴ͷදݱ : ൿີ伴(RSA)  

  43. 伴ͷදݱ : ެ։伴(RSA)  

  44. 伴ͷදݱ : ެ։伴(ପԁۂઢ)  

  45. 伴ηοτͷදݱ (Google)  

  46. Ϣʔεέʔε ༗ޮͳެ։伴৘ใΛެ։ jwks_url : JSON ܗࣜͰ伴৘ใͷηοτΛฦ͢ ઃఆϑΝΠϧͰͷอ࣋ ൿີ伴  

  47. JWT(JWS)࣮૷ͷϙΠϯτ  

  48. RFC8725 JSON Web Token BCP   https://qiita.com/ritou/items/71e58fbc0c5605ec61cb

  49. JSON Web SignatureΛ؆୯͔ͭ҆શʹ ࢖͏ͨΊͷkid/typύϥϝʔλͷ࢖͍ํ   https://ritou.hatenablog.com/entry/2020/03/31/142550

  50. JWT(JWS)Λ҆શʹ࢖͏ͨΊ ͷϙΠϯτ PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ  

  51. JWT(JWS)Λ҆શʹ࢖͏ͨΊ ͷϙΠϯτ PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ) ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻) ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ  

  52. PayloadʹؚΉ৘ใΛΑ͘ݕ ౼͢Δ ࣗॗ  

  53. ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷ஋ΛͲ͔͜ΒҾ͔͘ Headerͷalgύϥϝʔλͷ஋Λૉ௚ʹ࢖͏ͱ߈ܸΛड͚ΔڪΕ noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ RS256 -> HS256 Ͱެ։伴ͷϋογϡ஋Λࢦఆ͞ΕͨΓ ؅ཧ͍ͯ͠Δ伴ʹඥͮ͘஋Λར༻͠ɺHeaderͷ஋͸ͦͷ஋ͱ ͷൺֱʹཹΊΔ

     
  54. ༻్ͱॺ໊ݕূʹ஫໨ ༻్ͷදݱͱࢦఆ ॺ໊ੜ੒ɺݕূ༻ͷ伴ͷ؅ཧ ্هͷݕূ  

  55. ༻్ͷදݱͱࢦఆ ࢖͑Δύϥϝʔλ͸ෳ਺͋Δ Header “typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴؅ཧͱ෼཭ “kid” ύϥϝʔλ

    : ༻్͝ͱʹ伴ࣗମΛ෼͚Δ Payload ಠࣗΫϨʔϜ : “usage” ͳͲ  
  56. ༻్ͷදݱͱࢦఆ ͲΕΛ࢖͏͔͸ॊೈʹ൑அ͢΂͖ ػೳ୯ҐͰ伴Λ෼͚ΒΕΔ : Header “kid” 伴पΓ͍͡Εͳ͍͕Header͸͍͡ΕΔ : Header “typ”

    伴पΓ΋Header΋͍͡Εͳ͍ : ಠࣗΫϨʔϜ  
  57. “kid” Λ༻͍ͨ༻్ͷ؅ཧ ༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻ ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ ਓ͕ؒΘ͔Γ΍͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ ྻͱ͔೔෇ͱ͔)” ͱ͍͏idʹ͢Δ

     
  58. “typ” Λ༻͍ͨ༻్ͷ؅ཧ ॺ໊ݕূલʹ൑ఆͰ͖Δ ϥΠϒϥϦʹΑͬͯ͸ࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯ΋ࣗ ಈͰݕূͰ͖ͳ͍΋ͷ΋͋ΔͷͰ஫ҙ  

  59. ಠࣗΫϨʔϜͷར༻ ॺ໊ݕূޙͷ൑ఆͱͳΔ ࢦఆɺݕূͱ΋ʹಠࣗͷ࣮૷ͱͳΔ  

  60. JWSੜ੒ɺݕূσϞʢ΍Δ࣌ؒͳͦ͞͏ʣ  

  61. ໨త ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ ॺ໊ੜ੒/ݕূΛମݧ ࣮຿Ͱ͸ϥΠϒϥϦΛ࢖͏͜ͱΛ͓קΊ͠·͢ɻ  

  62. ඞཁͳػೳ ͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ ͸഑ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ৔߹΋͋ Γ·͢ɻ Base64 URL Encode / Decode (Paddingͳ͠)

    JSON Encode / Decode HMAC-SHA256  
  63. JWTੜ੒ͷྲྀΕ 1. HeaderΛੜ੒ 2. PayloadΛੜ੒ 3. SignatureΛੜ੒ 4. ࿈݁ͯ͠׬੒ 

    
  64. (1) Header ར༻͢ΔHeaderύϥϝʔλ “typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ “alg” :

    “HS256” # HMAC-SHA256 ར༻Λએݴ “kid” : “handson01” # 伴؅ཧΛҙࣝ͢ΔͨΊʹར༻  
  65. (1) Header 1. JSON Encode “{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\": \"handson+JWT\"}” 2. Base64 URL

    Encode “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0”  
  66. (2) Payload ૹΓ͍ͨσʔλ “Foo”:”Bar” “Hoge”:”Fuga”  

  67. (2) Payload 1. JSON Encode "{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}" 2. Base64 URL Encode

    “eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"  
  68. (3) Signature 1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9” 

    
  69. (3) Signature 2. Base StringΛHMAC-SHA256ͨ͠஋ΛBase64 URL Encode 伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”

    “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM”  
  70. (4) ׬੒ Base StringͱSignatureͷ஋Λ“.”Ͱ࿈݁͢Δͱ׬੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV MwH6iaLoOpxEZf3KcVM”  

  71. JWTݕূͷྲྀΕ 1. HeaderΛݕূ 2. SignatureΛݕূ 3. (PayloadΛݕূ)  

  72. (1) Header Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ “typ” :

    “handson+JWT” # ظ଴͢Δ஋ͱҰக͢Δ? “kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴? “alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ க͢Δ?  
  73. (2) Signature ੜ੒ͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞੒ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”  

  74. (2) Signature 2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ HMAC-SHA256ͨ͠஋ΛBase64 URL Encodeͯ͠ൺֱ 伴 :

    “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON” “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM” ※ެ։伴҉߸Λར༻͢Δ৔߹͸ॺ໊ݕূ༻ͷؔ਺Λར༻  
  75. (3) Payload ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒ͹PayloadΛݕূ (ࠓճ͸RFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)  

  76. https://jwt.io/ Ͱ΋ݕূՄೳ