Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JWT Boot Camp 2020

ritou
May 22, 2020

JWT Boot Camp 2020

チーム内勉強会のために作成したJSON Web Tokenについての資料です。

ritou

May 22, 2020
Tweet

More Decks by ritou

Other Decks in Technology

Transcript

  1. JSON Web Token
    boot camp 2020
    ryo.ito (@ritou)


    View Slide

  2. ͜ͷࢿྉ͕๬ΉGOAL
    JSON Web Tokenͱ͸ͲΜͳ΋ͷ͔Λཧղ͢Δ
    ৭ʑͳαʔϏεɺγεςϜͰ࢖ΘΕ͍ͯΔJSON Web
    Signatureͷ࢓૊Έʹ͍ͭͯཧղ͢Δ
    Ϣʔεέʔεͱઃܭ/࣮૷ͷϙΠϯτΛ੔ཧ͠ɺۀ຿Ͱ
    ΋҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ


    View Slide

  3. JSON Web Token֓ཁ


    View Slide

  4. 3'$+40/8FC5PLFO +85

    “JSON Web Token (JWT) is a compact, URL-
    safe means of representing claims to be
    transferred between two parties.”


    View Slide

  5. JSON Web Tokenͱ͸
    ͍ΖΜͳσʔλ(ߏ଄Խ͞Εͨ΋ͷ΍όΠφϦ·Ͱ)Λ
    ෳ਺ͷαʔϏεɺγεςϜؒͰ΍ΓͱΓ͢ΔͨΊʹ
    URLηʔϑͳจࣈྻʹΤϯίʔυ͢Δ࢓૊Έ΋͘͠͸
    Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺ͹Ε͍ͯΔ
    ॺ໊Λ͚ͭͨΓ(JSON Web Signature, JWS)ɺ҉߸
    Խ΋Ͱ͖Δ(JSON Web Encryption, JWE)


    View Slide

  6. JWT஀ੜͷ͖͔͚ͬ
    OpenIDϑΝ΢ϯσʔγϣϯʹΑΔOpenID Connectͷ࢓༷
    ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹͯ࢓༷ࡦఆ։࢝
    Ϣʔβʔ৘ใɺೝূΠϕϯτ৘ใͷड͚౉͠ʹར༻
    SAMLͰ࢖ΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ
    Γ΋༰қʹ࣮૷Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ
    ςΟτʔΫϯΛ໨ࢦͨ͠
    ͦΕͰ΋·ͩ࢓༷ͷҰ෦͔͠࢖ΘΕ͍ͯͳ͍


    View Slide

  7. Ϣʔεέʔε
    ൃߦऀ/ड৴ऀʹ஫໨
    ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴
    ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ


    View Slide

  8. Ϣʔεέʔε:
    ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴
    WebΞϓϦέʔγϣϯͷηογϣϯCookie
    ϩάΠϯதͷϢʔβʔ৘ใΛ֨ೲ
    HTTP Responseͱͯ͠ൃߦɺWebϒϥ΢β͕อ
    ࣋ɺHTTP Requestͱͯ͠ड৴


    View Slide

  9. Ϣʔεέʔε:
    ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴
    WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ
    ηογϣϯʹඥͮ͘஋(ηογϣϯIDͷϋογϡ஋ͳ
    Ͳ)Λ֨ೲ
    HTMLϑΥʔϜ಺ʹࢦఆɺPOSTσʔλͱͯ͠ड৴


    View Slide

  10. Ϣʔεέʔε:
    ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
    Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ
    APIΞΫηεʹඞཁͳϢʔβʔ৘ใͳͲΛ֨ೲ
    ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ
    ʹ෇༩ͯ͠APIαʔόʔ͕ड৴


    View Slide

  11. Ϣʔεέʔε:
    ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
    Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ
    3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴
    ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔ৘ใͷ఻ୡ
    ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴


    View Slide

  12. ϝϦοτ/σϝϦοτ
    ϝϦοτ
    ॊೈͳσʔλߏ଄Λ΍ΓͱΓՄೳ
    ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ΋͚ͭΒΕΔ
    σϝϦοτ
    ҉߸ԽͰ͸ͳ͍ͷͰத਎Λ೷͚Δ
    ֨ೲ͢Δ৘ใʹΑͬͯσʔλαΠζ͕૿େ


    View Slide

  13. ීٴ͍ͯ͠Δཧ༝
    ࢓༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦ΋ॆ࣮
    ඪ४ԽϓϩτίϧͰͷ࠾༻࣮੷
    ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ
    ཱ֬͞ΕͨϕετϓϥΫςΟε
    RFC8725 JSON Web Token BCP


    View Slide

  14. JWT vs Cookie?
    SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ
    +APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ
    ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͸͋͘·
    ͰΤϯίʔυํ๏ͳͷͰ࿩͕·ͱ·Βͳ͍
    ಺แܕ vs ηογϣϯID΋͘͠͸จࣈྻ + HTTP
    CookieͷଐੑͱͷൺֱͳͲ੔ཧ͕ඞཁ


    View Slide

  15. JWT = εςʔτϨε?
    JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͸΋͍ͬͨͳ͍
    ৘ใΛ಺แ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ
    রͷͨΊͷΩʔΛ࣋ͬͯ΋ྑ͍
    σʔλετΞͱͷ૊Έ߹ΘͤΛߟྀ͢Δͱ෯޿͍
    Ϣʔεέʔεʹద༻Մೳ


    View Slide

  16. ࢓༷ղઆ


    View Slide

  17. RFCs (7515 ~ 7519)
    αʔϏεɺγεςϜؒͷ΍ΓͱΓʹඞཁͳϝλσʔλ͸ʁ ->
    RFC7519 JSON Web Token
    ॺ໊ؔ࿈(ੜ੒ɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON
    Web Signature
    ҉߸Խ -> RFC7516 JSON Web Encryption
    ҉߸Խ΍ॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key
    ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms


    View Slide

  18. RFC7515 JSON Web Signature


    View Slide

  19. ͱ͋Δจࣈྻ
    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi
    OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d
    HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ
    4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk


    View Slide

  20. ࢲʹ͸͜͏ݟ͑·͢
    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
    .
    eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH
    A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
    .
    dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk


    View Slide

  21. ͜ͷจࣈྻͷਖ਼ମ
    RFC7515 JSON Web Signature
    JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ
    γϦΞϥΠζܗࣜ
    ෳ਺ͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ
    ͍͏΋ͷ΋͋Δ͕࢖ΘΕ͍ͯΔͷ͸ݟ͔͚ͳ͍


    View Slide

  22. Header
    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
    .
    eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ
    ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
    .
    dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk


    Encoded header

    View Slide

  23. Header
    Base64 URL Encode͞ΕͨJWS Header
    {\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"}
    JWSࣗମͷछྨ΍ॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ


    {“͔Β࢝·Δ෦෼͕eyJͱͳΔ

    View Slide

  24. Payload
    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
    .
    eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ
    ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
    .
    dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk


    Encoded payload

    View Slide

  25. Payload
    Base64 URL Encode͞ΕͨJWS Payload
    {\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http://
    example.com/is_root\":true}
    Payload͸JSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ
    ϨʔϜ(ύϥϝʔλ)ͷ஋͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ
    ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ


    View Slide

  26. Signature
    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
    .
    eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ
    ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
    .
    dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk


    Encoded signature

    View Slide

  27. Signature
    Base64 URL Encode͞ΕͨJWS Signature
    Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠΋ͷ
    ΛBase Stringͱͯ͠ར༻(໘౗ͳਖ਼نԽ͸ෆཁ)
    ͜ͷ஋Λੜ੒͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද
    ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ


    View Slide

  28. RFC7519 JSON Web Token


    View Slide

  29. JWTΫϨʔϜ
    ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ
    “jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻.
    “iss” : ൃߦऀͷࣝผࢠ.υϝΠϯ΍αʔϏε಺ࣝผࢠ.
    “sub” : JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ.
    “aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ


    View Slide

  30. JWTΫϨʔϜ
    ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ
    “iat” : ൃߦ೔࣌
    “exp” : ༗ޮظݶ
    “nbf” : ༗ޮظݶͷ։࢝೔࣌


    View Slide

  31. JWTΫϨʔϜͷྫ (OIDC)


    View Slide

  32. JWTΫϨʔϜ
    શͯར༻ඞਢͰ͸ͳ͍ : ίϯςΩετʹΑͬͯબ୒
    ϥΠϒϥϦʹΑͬͯ͸ݕূػೳΛ͍࣋ͬͯΔ΋ͷ΋
    ݕূͷཻ౓ͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝ͸ඞཁ


    View Slide

  33. RFC7518 JSON Web Algorithms


    View Slide

  34. ॺ໊༻ΞϧΰϦζϜ
    “none” : ॺ໊ͳ͠
    “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5
    “PS256”, “PS384”, “PS512” : RSASSA-PSS
    “ES256”, “ES384”, “ES512” : ECDSA


    ϋογϡؔ਺ + ڞ༗伴Ͱॺ໊Λੜ੒
    ൃߦɺݕূ͕ಉҰͷ৔߹ͳͲͰར༻

    View Slide

  35. ॺ໊༻ΞϧΰϦζϜ
    “none” : ॺ໊ͳ͠
    “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5
    “PS256”, “PS384”, “PS512” : RSASSA-PSS
    “ES256”, “ES384”, “ES512” : ECDSA


    RSAॺ໊
    ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ
    RS256͕Α͘࢖ΘΕ͍ͯΔ͕…

    View Slide

  36. ॺ໊༻ΞϧΰϦζϜ
    “none” : ॺ໊ͳ͠
    “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
    “RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5
    “PS256”, “PS384”, “PS512” : RSASSA-PSS
    “ES256”, “ES384”, “ES512” : ECDSA


    ପԁۂઢॺ໊
    ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ
    ࠷ۙͷϓϩτίϧͰ͸ESܥ͕ਓؾ

    View Slide

  37. ΞϧΰϦζϜͷ࢖͍෼͚
    ൃߦ/ड৴͕ಉҰ : HSXXX
    ڞ༗ൿີ伴Λ҆શʹ؅ཧ͢Δ
    ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX
    ൃߦଆ͕ड৴ଆʹެ։伴Λ౉͢
    ৔߹ʹΑͬͯ͸͓ޓ͍ʹެ։伴Λ౉͠߹͏


    View Slide

  38. RFC7517 JSON Web Key


    View Slide

  39. 伴ʹؔ͢Δ࢓༷
    伴ͷදݱ
    伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴
    伴ͷηοτͷදݱ
    ϩʔςʔγϣϯ
    αϙʔτ͢ΔΞϧΰϦζϜͷมߋ


    View Slide

  40. 伴දݱͷͨΊͷύϥϝʔλ
    “kty” : 伴ͷछྨ “RSA”, “EC”, “oct”
    “use” : “sig”
    “key_ops” : “sign”, “verify”
    “alg” : “RS256”, … , “PS256”, … , “ES256”, …
    “kid” : 伴ͷࣝผࢠ
    “x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈


    View Slide

  41. 伴ͷදݱ : ରশ伴


    View Slide

  42. 伴ͷදݱ : ൿີ伴(RSA)


    View Slide

  43. 伴ͷදݱ : ެ։伴(RSA)


    View Slide

  44. 伴ͷදݱ : ެ։伴(ପԁۂઢ)


    View Slide

  45. 伴ηοτͷදݱ (Google)


    View Slide

  46. Ϣʔεέʔε
    ༗ޮͳެ։伴৘ใΛެ։
    jwks_url : JSON ܗࣜͰ伴৘ใͷηοτΛฦ͢
    ઃఆϑΝΠϧͰͷอ࣋
    ൿີ伴


    View Slide

  47. JWT(JWS)࣮૷ͷϙΠϯτ


    View Slide

  48. RFC8725
    JSON Web Token BCP


    https://qiita.com/ritou/items/71e58fbc0c5605ec61cb

    View Slide

  49. JSON Web SignatureΛ؆୯͔ͭ҆શʹ
    ࢖͏ͨΊͷkid/typύϥϝʔλͷ࢖͍ํ


    https://ritou.hatenablog.com/entry/2020/03/31/142550

    View Slide

  50. JWT(JWS)Λ҆શʹ࢖͏ͨΊ
    ͷϙΠϯτ
    PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ
    ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏
    ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ
    తʹݕূ͢Δ


    View Slide

  51. JWT(JWS)Λ҆શʹ࢖͏ͨΊ
    ͷϙΠϯτ
    PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ)
    ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻)
    ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ
    తʹݕূ͢Δ


    View Slide

  52. PayloadʹؚΉ৘ใΛΑ͘ݕ
    ౼͢Δ
    ࣗॗ


    View Slide

  53. ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏
    ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷ஋ΛͲ͔͜ΒҾ͔͘
    Headerͷalgύϥϝʔλͷ஋Λૉ௚ʹ࢖͏ͱ߈ܸΛड͚ΔڪΕ
    noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ
    RS256 -> HS256 Ͱެ։伴ͷϋογϡ஋Λࢦఆ͞ΕͨΓ
    ؅ཧ͍ͯ͠Δ伴ʹඥͮ͘஋Λར༻͠ɺHeaderͷ஋͸ͦͷ஋ͱ
    ͷൺֱʹཹΊΔ


    View Slide

  54. ༻్ͱॺ໊ݕূʹ஫໨
    ༻్ͷදݱͱࢦఆ
    ॺ໊ੜ੒ɺݕূ༻ͷ伴ͷ؅ཧ
    ্هͷݕূ


    View Slide

  55. ༻్ͷදݱͱࢦఆ
    ࢖͑Δύϥϝʔλ͸ෳ਺͋Δ
    Header
    “typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴؅ཧͱ෼཭
    “kid” ύϥϝʔλ : ༻్͝ͱʹ伴ࣗମΛ෼͚Δ
    Payload
    ಠࣗΫϨʔϜ : “usage” ͳͲ


    View Slide

  56. ༻్ͷදݱͱࢦఆ
    ͲΕΛ࢖͏͔͸ॊೈʹ൑அ͢΂͖
    ػೳ୯ҐͰ伴Λ෼͚ΒΕΔ : Header “kid”
    伴पΓ͍͡Εͳ͍͕Header͸͍͡ΕΔ : Header “typ”
    伴पΓ΋Header΋͍͡Εͳ͍ : ಠࣗΫϨʔϜ


    View Slide

  57. “kid” Λ༻͍ͨ༻్ͷ؅ཧ
    ༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻
    ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ
    ਓ͕ؒΘ͔Γ΍͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ
    ྻͱ͔೔෇ͱ͔)” ͱ͍͏idʹ͢Δ


    View Slide

  58. “typ” Λ༻͍ͨ༻్ͷ؅ཧ
    ॺ໊ݕূલʹ൑ఆͰ͖Δ
    ϥΠϒϥϦʹΑͬͯ͸ࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯ΋ࣗ
    ಈͰݕূͰ͖ͳ͍΋ͷ΋͋ΔͷͰ஫ҙ


    View Slide

  59. ಠࣗΫϨʔϜͷར༻
    ॺ໊ݕূޙͷ൑ఆͱͳΔ
    ࢦఆɺݕূͱ΋ʹಠࣗͷ࣮૷ͱͳΔ


    View Slide

  60. JWSੜ੒ɺݕূσϞʢ΍Δ࣌ؒͳͦ͞͏ʣ


    View Slide

  61. ໨త
    ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ
    ॺ໊ੜ੒/ݕূΛମݧ
    ࣮຿Ͱ͸ϥΠϒϥϦΛ࢖͏͜ͱΛ͓קΊ͠·͢ɻ


    View Slide

  62. ඞཁͳػೳ
    ͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ
    ͸഑ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ৔߹΋͋
    Γ·͢ɻ
    Base64 URL Encode / Decode (Paddingͳ͠)
    JSON Encode / Decode
    HMAC-SHA256


    View Slide

  63. JWTੜ੒ͷྲྀΕ
    1. HeaderΛੜ੒
    2. PayloadΛੜ੒
    3. SignatureΛੜ੒
    4. ࿈݁ͯ͠׬੒


    View Slide

  64. (1) Header
    ར༻͢ΔHeaderύϥϝʔλ
    “typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ
    “alg” : “HS256” # HMAC-SHA256 ར༻Λએݴ
    “kid” : “handson01” # 伴؅ཧΛҙࣝ͢ΔͨΊʹར༻


    View Slide

  65. (1) Header
    1. JSON Encode
    “{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\":
    \"handson+JWT\"}”
    2. Base64 URL Encode
    “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
    sInR5cCI6ImhhbmRzb24rSldUIn0”


    View Slide

  66. (2) Payload
    ૹΓ͍ͨσʔλ
    “Foo”:”Bar”
    “Hoge”:”Fuga”


    View Slide

  67. (2) Payload
    1. JSON Encode
    "{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}"
    2. Base64 URL Encode
    “eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"


    View Slide

  68. (3) Signature
    1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞੒
    “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
    sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi
    LCJIb2dlIjoiRnVnYSJ9”


    View Slide

  69. (3) Signature
    2. Base StringΛHMAC-SHA256ͨ͠஋ΛBase64 URL
    Encode
    伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
    “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc
    VM”


    View Slide

  70. (4) ׬੒
    Base StringͱSignatureͷ஋Λ“.”Ͱ࿈݁͢Δͱ׬੒
    “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
    sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi
    LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV
    MwH6iaLoOpxEZf3KcVM”


    View Slide

  71. JWTݕূͷྲྀΕ
    1. HeaderΛݕূ
    2. SignatureΛݕূ
    3. (PayloadΛݕূ)


    View Slide

  72. (1) Header
    Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ
    “typ” : “handson+JWT” # ظ଴͢Δ஋ͱҰக͢Δ?
    “kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴?
    “alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ
    க͢Δ?


    View Slide

  73. (2) Signature
    ੜ੒ͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base
    StringΛ࡞੒
    “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
    sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi
    LCJIb2dlIjoiRnVnYSJ9”


    View Slide

  74. (2) Signature
    2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ
    HMAC-SHA256ͨ͠஋ΛBase64 URL Encodeͯ͠ൺֱ
    伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
    “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc
    VM”
    ※ެ։伴҉߸Λར༻͢Δ৔߹͸ॺ໊ݕূ༻ͷؔ਺Λར༻


    View Slide

  75. (3) Payload
    ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒ͹PayloadΛݕূ
    (ࠓճ͸RFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ
    ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)


    View Slide

  76. https://jwt.io/ Ͱ΋ݕূՄೳ


    View Slide