JWTとは

Transcript

1. JWTʹ͍ͭͯ

2. 1. JWTͱ͸ 2. JWTͷத਎ 3. JWTΛ࢖͏ͱԿ͕خ͍͔͠ 4. JWTͷ஫ҙ఺ ໨࣍

3. 1. JWTͱ͸ Json Web Token ͷུɻ RFC7519 Ͱఆٛ͞Ε͍ͯΔٕज़Ͱɺ RFC7515 JWS

   (Json Web Signature) ͷ࢓༷ʹԊͬͯɺpayload෦෼ΛJSONܗࣜʹͯ͠ +α ͨ͠΋ͷɻ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva G4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. S f lKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQs sw5c ϔομʔ ϖΠϩʔυ ॺ໊ { "alg": "HS256", "typ": "JWT" } { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), your-256-bit-secret ) JSON BASE JWT

4. 1. JWTͱ͸ POST /user/login {email, password} Ϣʔβʔೝূޙʹ ηογϣϯ৘ใΛอଘ ηογϣϯIDΛCookieͱͯ͠ฦ͢ ϦΫΤετΛηογϣϯIDͱͱ΋ʹૹΔ

   ૹΒΕ͖ͯͨηογϣϯIDͱ อଘͨ͠ηογϣϯIDͰݕূ Ϩεϙϯε Sessionํࣜ

5. 1. JWTͱ͸ POST /user/login {email, password} ൿີ伴Λ࢖ͬͯ JWTΛੜ੒ JWTΛϨεϙϯεͱͯ͠ฦ͢ ϦΫΤετΛJWTͱͱ΋ʹૹΔ

   JWTͷத਎Λݕূ JWT͔ΒϢʔβʔ৘ใΛऔಘ Ϩεϙϯε JWTํࣜ

6. 1. JWTͱ͸ POST /user/login {email, password} Secret keyΛ࢖ͬͯ JWTΛੜ੒ JWTΛϨεϙϯεͱͯ͠ฦ͢

   ϦΫΤετΛJWTͱͱ΋ʹૹΔ JWTͷத਎Λݕূ JWT͔ΒϢʔβʔ৘ใΛऔಘ Ϩεϙϯε JWTํࣜ POST /user/login {email, password} Ϣʔβʔೝূޙʹ ηογϣϯ৘ใΛอଘ ηογϣϯIDΛCookieͱͯ͠ฦ͢ ϦΫΤετΛηογϣϯIDͱͱ΋ʹૹΔ ૹΒΕ͖ͯͨ ηογϣϯIDͱอଘͨ͠ ηογϣϯIDͰݕূ Ϩεϙϯε Sessionํࣜ ೋͭͷେ͖ͳҧ͍͸ɺτʔΫϯΛอଘ͢Δ৔ॴɻ ηογϣϯํࣜ͸αʔόʔʹɺ JWTํࣜ͸ϒϥ΢βʹอଘ͢Δɻ

7. 2. JWTͷத਎

8. 3. JWTΛ࢖͏ͱԿ͕خ͍͔͠ ServerA ServerC ServerB

9. 4. JWTͷ஫ҙ఺ ϢʔβʔͷೳಈతͳϩάΞ΢τʹΑΔτʔΫϯͷ؅ཧ A UserAHeader. UserAPayload. UserASignature UserAHeader. UserAPayload. UserASignature

   ࿙Ӯ OK OK ʻϩάΞ΢τϘλϯԡԼʼ B

10. 4. JWTͷ஫ҙ఺

11. ऴΘΓ