Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The JSON-based Identity Protocol Suite

3,664 views

Published on

An overview of the JSON-based identity protocol suite, including JWT, JWE, JWK, etc.

Published in: Technology
  • Be the first to comment

The JSON-based Identity Protocol Suite

  1. 1. The JSON-based Identity Protocol Suite By Travis SpencerCopyright © 2013 Twobo Technologies AB.
  2. 2. Overview of the Protocol Suite JavaScript Object Notation (JSON) – Data encoding format popularized by AJAX & REST All being defined in IETF Used to encode OAuth 2.0 security model  Tokens (JWT) Encryption (JWE)  Keys (JWK) Signatures (JWS) OAuth 2.0 Bearer Token spec binds it to OAuth Basis of OAuth and OpenID ConnectCopyright © 2013 Twobo Technologies AB.
  3. 3. Overview of JWT JWT – pronounced “jot” – are lightweight tokens passed in HTTP headers & query strings Three basic sections – header, claims, signature Akin to SAML tokens  Less expressive  Less security options  Encoded w/ JSON not XML for compactnessCopyright © 2013 Twobo Technologies AB.
  4. 4. Basic Layout & Wire Format Header Claims Crypto JWT Tokenbase64url(Header) + “.” + base64url(Claims) + “.” + base64url(Crypto)Copyright © 2013 Twobo Technologies AB.
  5. 5. Claims Section Reserved (but optional) claim names  Expiration time (exp) Issuer (iss)  Not before (nbf) Type (typ)  Issued at (iat) Audience (aud) Public claim names  IANA JWT claims registry  Domain name, OID, or UUID Private claim names – Any unused name Value can be any JSON typeCopyright © 2013 Twobo Technologies AB.
  6. 6. Overview of JWE Used to encrypt JWTs Supports symmetric & asymmetric encryption Three basic sections – header, key, ciphertext Plaintext may be signed first Encryption algorithm  RSA1_5 A(128|256)KW  RSA-OAEP A(128|256)GCM  ECDH-ES Cyphertext is put in the crypto section of the JWTCopyright © 2013 Twobo Technologies AB.
  7. 7. Basic Layout & Wire Format Header Key Ciphertext JWE JWE = base64url(Header) + “.” +base64url(Key) + “.” + base64url(Ciphertext)Copyright © 2013 Twobo Technologies AB.
  8. 8. Overview of JWK Array of public keys encoded as JSON objects Intended for inclusion in JWS for signature verification Explicit support for Elliptic Curve and RSA keysCopyright © 2013 Twobo Technologies AB.
  9. 9. JWK Example{“keyvalues” : {“algorithm” : “RSA”, [ “modulus” : “…”, {“algorithm” : “EC”, “exponent” : “…”, “curve” : “P-256”, “keyid” : “…”} ] “x” : “…”, } “y” : “…”, “use” : “encryption”, “keyid” : “1”},Copyright © 2013 Twobo Technologies AB.
  10. 10. Overview of JWS Header input is JWT header Payload input is JWT claims Output is appended to JWT inputs & (optionally) points to the JWK that was used Supports symmetric & asymmetric signing algorithms  HMAC SHA RSA SHA  ECDSA w/ curve P & SHACopyright © 2013 Twobo Technologies AB.
  11. 11. Basic Layout & Wire Format Header Payload JWSJWS = base64url(sig(base64url(Header) + “.” + base64url(Payload))) Copyright © 2013 Twobo Technologies AB.
  12. 12. Questions & Thanks @2botech @travisspencer www.2botech.com www.travisspencer.comCopyright © 2013 Twobo Technologies AB.

×