The JSON-based Identity Protocol Suite    By Travis SpencerCopyright © 2013 Twobo Technologies AB.
Overview of the Protocol Suite JavaScript Object Notation (JSON) – Data  encoding format popularized by AJAX & REST All ...
Overview of JWT JWT – pronounced “jot” – are lightweight tokens  passed in HTTP headers & query strings Three basic sect...
Basic Layout & Wire Format                                           Header                                           Clai...
Claims Section Reserved (but optional) claim names       Expiration time (exp)             Issuer (iss)       Not befor...
Overview of JWE Used to encrypt JWTs Supports symmetric & asymmetric encryption Three basic sections – header, key, cip...
Basic Layout & Wire Format                                           Header                                             Ke...
Overview of JWK Array of public keys encoded as JSON objects Intended for inclusion in JWS for signature  verification ...
JWK Example{“keyvalues” :                                 {“algorithm” : “RSA”,    [                                      ...
Overview of JWS Header input is JWT header Payload input is JWT claims Output is appended to JWT inputs & (optionally) ...
Basic Layout & Wire Format                                           Header                                           Payl...
Questions & Thanks                                                     @2botech                                           ...
The JSON-based Identity Protocol Suite
Upcoming SlideShare
Loading in...5
×

The JSON-based Identity Protocol Suite

1,120

Published on

An overview of the JSON-based identity protocol suite, including JWT, JWE, JWK, etc.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,120
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
23
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Crypto = Signature & Ciphertext
  • The JSON-based Identity Protocol Suite

    1. 1. The JSON-based Identity Protocol Suite By Travis SpencerCopyright © 2013 Twobo Technologies AB.
    2. 2. Overview of the Protocol Suite JavaScript Object Notation (JSON) – Data encoding format popularized by AJAX & REST All being defined in IETF Used to encode OAuth 2.0 security model  Tokens (JWT) Encryption (JWE)  Keys (JWK) Signatures (JWS) OAuth 2.0 Bearer Token spec binds it to OAuth Basis of OAuth and OpenID ConnectCopyright © 2013 Twobo Technologies AB.
    3. 3. Overview of JWT JWT – pronounced “jot” – are lightweight tokens passed in HTTP headers & query strings Three basic sections – header, claims, signature Akin to SAML tokens  Less expressive  Less security options  Encoded w/ JSON not XML for compactnessCopyright © 2013 Twobo Technologies AB.
    4. 4. Basic Layout & Wire Format Header Claims Crypto JWT Tokenbase64url(Header) + “.” + base64url(Claims) + “.” + base64url(Crypto)Copyright © 2013 Twobo Technologies AB.
    5. 5. Claims Section Reserved (but optional) claim names  Expiration time (exp) Issuer (iss)  Not before (nbf) Type (typ)  Issued at (iat) Audience (aud) Public claim names  IANA JWT claims registry  Domain name, OID, or UUID Private claim names – Any unused name Value can be any JSON typeCopyright © 2013 Twobo Technologies AB.
    6. 6. Overview of JWE Used to encrypt JWTs Supports symmetric & asymmetric encryption Three basic sections – header, key, ciphertext Plaintext may be signed first Encryption algorithm  RSA1_5 A(128|256)KW  RSA-OAEP A(128|256)GCM  ECDH-ES Cyphertext is put in the crypto section of the JWTCopyright © 2013 Twobo Technologies AB.
    7. 7. Basic Layout & Wire Format Header Key Ciphertext JWE JWE = base64url(Header) + “.” +base64url(Key) + “.” + base64url(Ciphertext)Copyright © 2013 Twobo Technologies AB.
    8. 8. Overview of JWK Array of public keys encoded as JSON objects Intended for inclusion in JWS for signature verification Explicit support for Elliptic Curve and RSA keysCopyright © 2013 Twobo Technologies AB.
    9. 9. JWK Example{“keyvalues” : {“algorithm” : “RSA”, [ “modulus” : “…”, {“algorithm” : “EC”, “exponent” : “…”, “curve” : “P-256”, “keyid” : “…”} ] “x” : “…”, } “y” : “…”, “use” : “encryption”, “keyid” : “1”},Copyright © 2013 Twobo Technologies AB.
    10. 10. Overview of JWS Header input is JWT header Payload input is JWT claims Output is appended to JWT inputs & (optionally) points to the JWK that was used Supports symmetric & asymmetric signing algorithms  HMAC SHA RSA SHA  ECDSA w/ curve P & SHACopyright © 2013 Twobo Technologies AB.
    11. 11. Basic Layout & Wire Format Header Payload JWSJWS = base64url(sig(base64url(Header) + “.” + base64url(Payload))) Copyright © 2013 Twobo Technologies AB.
    12. 12. Questions & Thanks @2botech @travisspencer www.2botech.com www.travisspencer.comCopyright © 2013 Twobo Technologies AB.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×