JWT Boot Camp 2020

JSON Web Token
boot camp 2020
ryo.ito (@ritou)

View Slide

͜ͷࢿྉ͕๬ΉGOAL
JSON Web Tokenͱ͸ͲΜͳ΋ͷ͔Λཧղ͢Δ
৭ʑͳαʔϏεɺγεςϜͰ࢖ΘΕ͍ͯΔJSON Web
Signatureͷ࢓૊Έʹ͍ͭͯཧղ͢Δ
Ϣʔεέʔεͱઃܭ/࣮૷ͷϙΠϯτΛ੔ཧ͠ɺۀ຿Ͱ
΋҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ

View Slide

JSON Web Token֓ཁ

View Slide

3'$+40/8FC5PLFO +85

“JSON Web Token (JWT) is a compact, URL-
safe means of representing claims to be
transferred between two parties.”

View Slide

JSON Web Tokenͱ͸
͍ΖΜͳσʔλ(ߏ଄Խ͞Εͨ΋ͷ΍όΠφϦ·Ͱ)Λ
ෳ਺ͷαʔϏεɺγεςϜؒͰ΍ΓͱΓ͢ΔͨΊʹ
URLηʔϑͳจࣈྻʹΤϯίʔυ͢Δ࢓૊Έ΋͘͠͸
Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺ͹Ε͍ͯΔ
ॺ໊Λ͚ͭͨΓ(JSON Web Signature, JWS)ɺ҉߸
Խ΋Ͱ͖Δ(JSON Web Encryption, JWE)

View Slide

JWT஀ੜͷ͖͔͚ͬ
OpenIDϑΝ΢ϯσʔγϣϯʹΑΔOpenID Connectͷ࢓༷
ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹͯ࢓༷ࡦఆ։࢝
Ϣʔβʔ৘ใɺೝূΠϕϯτ৘ใͷड͚౉͠ʹར༻
SAMLͰ࢖ΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ
Γ΋༰қʹ࣮૷Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ
ςΟτʔΫϯΛ໨ࢦͨ͠
ͦΕͰ΋·ͩ࢓༷ͷҰ෦͔͠࢖ΘΕ͍ͯͳ͍

View Slide

Ϣʔεέʔε
ൃߦऀ/ड৴ऀʹ஫໨
୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴
ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ

View Slide

Ϣʔεέʔε:
WebΞϓϦέʔγϣϯͷηογϣϯCookie
ϩάΠϯதͷϢʔβʔ৘ใΛ֨ೲ
HTTP Responseͱͯ͠ൃߦɺWebϒϥ΢β͕อ
࣋ɺHTTP Requestͱͯ͠ड৴

View Slide

Ϣʔεέʔε:
WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ
ηογϣϯʹඥͮ͘஋(ηογϣϯIDͷϋογϡ஋ͳ
Ͳ)Λ֨ೲ
HTMLϑΥʔϜ಺ʹࢦఆɺPOSTσʔλͱͯ͠ड৴

View Slide

Ϣʔεέʔε:
Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ
APIΞΫηεʹඞཁͳϢʔβʔ৘ใͳͲΛ֨ೲ
ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ
ʹ෇༩ͯ͠APIαʔόʔ͕ड৴

View Slide

Ϣʔεέʔε:
Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ
3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴
ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔ৘ใͷ఻ୡ
ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴

View Slide

ϝϦοτ/σϝϦοτ
ϝϦοτ
ॊೈͳσʔλߏ଄Λ΍ΓͱΓՄೳ
ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ΋͚ͭΒΕΔ
σϝϦοτ
҉߸ԽͰ͸ͳ͍ͷͰத਎Λ೷͚Δ
֨ೲ͢Δ৘ใʹΑͬͯσʔλαΠζ͕૿େ

View Slide

ීٴ͍ͯ͠Δཧ༝
࢓༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦ΋ॆ࣮
ඪ४ԽϓϩτίϧͰͷ࠾༻࣮੷
ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ
ཱ֬͞ΕͨϕετϓϥΫςΟε
RFC8725 JSON Web Token BCP

View Slide

JWT vs Cookie?
SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ
+APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ
ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͸͋͘·
ͰΤϯίʔυํ๏ͳͷͰ࿩͕·ͱ·Βͳ͍
಺แܕ vs ηογϣϯID΋͘͠͸จࣈྻ + HTTP
CookieͷଐੑͱͷൺֱͳͲ੔ཧ͕ඞཁ

View Slide

JWT = εςʔτϨε?
JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͸΋͍ͬͨͳ͍
৘ใΛ಺แ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ
রͷͨΊͷΩʔΛ࣋ͬͯ΋ྑ͍
σʔλετΞͱͷ૊Έ߹ΘͤΛߟྀ͢Δͱ෯޿͍
Ϣʔεέʔεʹద༻Մೳ

View Slide

࢓༷ղઆ

View Slide

RFCs (7515 ~ 7519)
αʔϏεɺγεςϜؒͷ΍ΓͱΓʹඞཁͳϝλσʔλ͸ʁ ->
RFC7519 JSON Web Token
ॺ໊ؔ࿈(ੜ੒ɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON
Web Signature
҉߸Խ -> RFC7516 JSON Web Encryption
҉߸Խ΍ॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key
ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms

View Slide

RFC7515 JSON Web Signature

View Slide

ͱ͋Δจࣈྻ
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi
OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d
HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ
4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk

View Slide

ࢲʹ͸͜͏ݟ͑·͢
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
.
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH
A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
.
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk

View Slide

͜ͷจࣈྻͷਖ਼ମ
RFC7515 JSON Web Signature
JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ
γϦΞϥΠζܗࣜ
ෳ਺ͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ
͍͏΋ͷ΋͋Δ͕࢖ΘΕ͍ͯΔͷ͸ݟ͔͚ͳ͍

View Slide

Header
.
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ
ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
.

Encoded header

View Slide

Header
Base64 URL Encode͞ΕͨJWS Header
{\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"}
JWSࣗମͷछྨ΍ॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ

{“͔Β࢝·Δ෦෼͕eyJͱͳΔ

View Slide

Payload
.
.

Encoded payload

View Slide

Payload
Base64 URL Encode͞ΕͨJWS Payload
{\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http://
example.com/is_root\":true}
Payload͸JSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ
ϨʔϜ(ύϥϝʔλ)ͷ஋͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ
ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ

View Slide

Signature
.
.

Encoded signature

View Slide

Signature
Base64 URL Encode͞ΕͨJWS Signature
Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠΋ͷ
ΛBase Stringͱͯ͠ར༻(໘౗ͳਖ਼نԽ͸ෆཁ)
͜ͷ஋Λੜ੒͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද
ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ

View Slide

RFC7519 JSON Web Token

View Slide

JWTΫϨʔϜ
ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ
“jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻.
“iss” : ൃߦऀͷࣝผࢠ.υϝΠϯ΍αʔϏε಺ࣝผࢠ.
“sub” : JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ.
“aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ

View Slide

JWTΫϨʔϜ
ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ
“iat” : ൃߦ೔࣌
“exp” : ༗ޮظݶ
“nbf” : ༗ޮظݶͷ։࢝೔࣌

View Slide

JWTΫϨʔϜͷྫ (OIDC)

View Slide

JWTΫϨʔϜ
શͯར༻ඞਢͰ͸ͳ͍ : ίϯςΩετʹΑͬͯબ୒
ϥΠϒϥϦʹΑͬͯ͸ݕূػೳΛ͍࣋ͬͯΔ΋ͷ΋
ݕূͷཻ౓ͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝ͸ඞཁ

View Slide

RFC7518 JSON Web Algorithms

View Slide

ॺ໊༻ΞϧΰϦζϜ
“none” : ॺ໊ͳ͠
“HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5
“PS256”, “PS384”, “PS512” : RSASSA-PSS
“ES256”, “ES384”, “ES512” : ECDSA

ϋογϡؔ਺ + ڞ༗伴Ͱॺ໊Λੜ੒
ൃߦɺݕূ͕ಉҰͷ৔߹ͳͲͰར༻

View Slide

“ES256”, “ES384”, “ES512” : ECDSA

RSAॺ໊
ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ
RS256͕Α͘࢖ΘΕ͍ͯΔ͕…

View Slide

“ES256”, “ES384”, “ES512” : ECDSA

ପԁۂઢॺ໊
ൿີ伴Ͱॺ໊ੜ੒ɺެ։伴Ͱݕূ
࠷ۙͷϓϩτίϧͰ͸ESܥ͕ਓؾ

View Slide

ΞϧΰϦζϜͷ࢖͍෼͚
ൃߦ/ड৴͕ಉҰ : HSXXX
ڞ༗ൿີ伴Λ҆શʹ؅ཧ͢Δ
ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX
ൃߦଆ͕ड৴ଆʹެ։伴Λ౉͢
৔߹ʹΑͬͯ͸͓ޓ͍ʹެ։伴Λ౉͠߹͏

View Slide

RFC7517 JSON Web Key

View Slide

伴ʹؔ͢Δ࢓༷
伴ͷදݱ
伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴
伴ͷηοτͷදݱ
ϩʔςʔγϣϯ
αϙʔτ͢ΔΞϧΰϦζϜͷมߋ

View Slide

伴දݱͷͨΊͷύϥϝʔλ
“kty” : 伴ͷछྨ “RSA”, “EC”, “oct”
“use” : “sig”
“key_ops” : “sign”, “verify”
“alg” : “RS256”, … , “PS256”, … , “ES256”, …
“kid” : 伴ͷࣝผࢠ
“x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈

View Slide

伴ͷදݱ : ରশ伴

View Slide

伴ͷදݱ : ൿີ伴(RSA)

View Slide

伴ͷදݱ : ެ։伴(RSA)

View Slide

伴ͷදݱ : ެ։伴(ପԁۂઢ)

View Slide

伴ηοτͷදݱ (Google)

View Slide

Ϣʔεέʔε
༗ޮͳެ։伴৘ใΛެ։
jwks_url : JSON ܗࣜͰ伴৘ใͷηοτΛฦ͢
ઃఆϑΝΠϧͰͷอ࣋
ൿີ伴

View Slide

JWT(JWS)࣮૷ͷϙΠϯτ

View Slide

RFC8725
JSON Web Token BCP

https://qiita.com/ritou/items/71e58fbc0c5605ec61cb

View Slide

JSON Web SignatureΛ؆୯͔ͭ҆શʹ
࢖͏ͨΊͷkid/typύϥϝʔλͷ࢖͍ํ

https://ritou.hatenablog.com/entry/2020/03/31/142550

View Slide

JWT(JWS)Λ҆શʹ࢖͏ͨΊ
ͷϙΠϯτ
PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ
ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏
ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ
తʹݕূ͢Δ

View Slide

JWT(JWS)Λ҆શʹ࢖͏ͨΊ
ͷϙΠϯτ
PayloadʹؚΉ৘ใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ)
ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻)
ෳ਺ͷJWT(JWS)Λར༻͢Δࡍ͸༻్Λࢦఆ͠ɺഉଞ
తʹݕূ͢Δ

View Slide

PayloadʹؚΉ৘ใΛΑ͘ݕ
౼͢Δ
ࣗॗ

View Slide

ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏
ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷ஋ΛͲ͔͜ΒҾ͔͘
Headerͷalgύϥϝʔλͷ஋Λૉ௚ʹ࢖͏ͱ߈ܸΛड͚ΔڪΕ
noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ
RS256 -> HS256 Ͱެ։伴ͷϋογϡ஋Λࢦఆ͞ΕͨΓ
؅ཧ͍ͯ͠Δ伴ʹඥͮ͘஋Λར༻͠ɺHeaderͷ஋͸ͦͷ஋ͱ
ͷൺֱʹཹΊΔ

View Slide

༻్ͱॺ໊ݕূʹ஫໨
༻్ͷදݱͱࢦఆ
ॺ໊ੜ੒ɺݕূ༻ͷ伴ͷ؅ཧ
্هͷݕূ

View Slide

࢖͑Δύϥϝʔλ͸ෳ਺͋Δ
Header
“typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴؅ཧͱ෼཭
“kid” ύϥϝʔλ : ༻్͝ͱʹ伴ࣗମΛ෼͚Δ
Payload
ಠࣗΫϨʔϜ : “usage” ͳͲ

View Slide

ͲΕΛ࢖͏͔͸ॊೈʹ൑அ͢΂͖
ػೳ୯ҐͰ伴Λ෼͚ΒΕΔ : Header “kid”
伴पΓ͍͡Εͳ͍͕Header͸͍͡ΕΔ : Header “typ”
伴पΓ΋Header΋͍͡Εͳ͍ : ಠࣗΫϨʔϜ

View Slide

“kid” Λ༻͍ͨ༻్ͷ؅ཧ
༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻
ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ
ਓ͕ؒΘ͔Γ΍͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ
ྻͱ͔೔෇ͱ͔)” ͱ͍͏idʹ͢Δ

View Slide

“typ” Λ༻͍ͨ༻్ͷ؅ཧ
ॺ໊ݕূલʹ൑ఆͰ͖Δ
ϥΠϒϥϦʹΑͬͯ͸ࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯ΋ࣗ
ಈͰݕূͰ͖ͳ͍΋ͷ΋͋ΔͷͰ஫ҙ

View Slide

ಠࣗΫϨʔϜͷར༻
ॺ໊ݕূޙͷ൑ఆͱͳΔ
ࢦఆɺݕূͱ΋ʹಠࣗͷ࣮૷ͱͳΔ

View Slide

JWSੜ੒ɺݕূσϞʢ΍Δ࣌ؒͳͦ͞͏ʣ

View Slide

໨త
ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ
ॺ໊ੜ੒/ݕূΛମݧ
࣮຿Ͱ͸ϥΠϒϥϦΛ࢖͏͜ͱΛ͓קΊ͠·͢ɻ

View Slide

ඞཁͳػೳ
͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ
͸഑ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ৔߹΋͋
Γ·͢ɻ
Base64 URL Encode / Decode (Paddingͳ͠)
JSON Encode / Decode
HMAC-SHA256

View Slide

JWTੜ੒ͷྲྀΕ
1. HeaderΛੜ੒
2. PayloadΛੜ੒
3. SignatureΛੜ੒
4. ࿈݁ͯ͠׬੒

View Slide

(1) Header
ར༻͢ΔHeaderύϥϝʔλ
“typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ
“alg” : “HS256” # HMAC-SHA256 ར༻Λએݴ
“kid” : “handson01” # 伴؅ཧΛҙࣝ͢ΔͨΊʹར༻

View Slide

(1) Header
1. JSON Encode
“{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\":
\"handson+JWT\"}”
2. Base64 URL Encode
“eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI
sInR5cCI6ImhhbmRzb24rSldUIn0”

View Slide

(2) Payload
ૹΓ͍ͨσʔλ
“Foo”:”Bar”
“Hoge”:”Fuga”

View Slide

(2) Payload
1. JSON Encode
"{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}"
2. Base64 URL Encode
“eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"

View Slide

(3) Signature
1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞੒
sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi
LCJIb2dlIjoiRnVnYSJ9”

View Slide

(3) Signature
2. Base StringΛHMAC-SHA256ͨ͠஋ΛBase64 URL
Encode
伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
“Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc
VM”

View Slide

(4) ׬੒
Base StringͱSignatureͷ஋Λ“.”Ͱ࿈݁͢Δͱ׬੒
LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV
MwH6iaLoOpxEZf3KcVM”

View Slide

JWTݕূͷྲྀΕ
1. HeaderΛݕূ
2. SignatureΛݕূ
3. (PayloadΛݕূ)

View Slide

(1) Header
Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ
“typ” : “handson+JWT” # ظ଴͢Δ஋ͱҰக͢Δ?
“kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴?
“alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ
க͢Δ?

View Slide

(2) Signature
ੜ੒ͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base
StringΛ࡞੒
LCJIb2dlIjoiRnVnYSJ9”

View Slide

(2) Signature
2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ
HMAC-SHA256ͨ͠஋ΛBase64 URL Encodeͯ͠ൺֱ
伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
“Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc
VM”
※ެ։伴҉߸Λར༻͢Δ৔߹͸ॺ໊ݕূ༻ͷؔ਺Λར༻

View Slide

(3) Payload
ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒ͹PayloadΛݕূ
(ࠓճ͸RFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ
ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)

View Slide

https://jwt.io/ Ͱ΋ݕূՄೳ

View Slide

JWT Boot Camp 2020

JWT Boot Camp 2020

ritou

More Decks by ritou

Other Decks in Technology

Featured

Transcript