CIS14: I Left My JWT in San JOSE

``
Brian Campbell!
@__b_c!
Cloud Identity Summit 2014!
http://www.slideshare.net/briandavidcampbell!
!
A technical overview of JSON Web
Token (JWT) and JavaScript Object
Signing and Encryption (JOSE)!

Introductions!
http://blog.talkingidentity.com/2013/08/thanking-the-iam-venn-erables-in-my-own-way.html!
Me!

More Introductions…!
Copyright © 2014 Ping Identity Corp.All rights reserved. 3https://twitter.com/itickr/status/354999490928857088!
https://ﬂic.kr/p/f6PKjB!

•  JavaScript Object Signing and Encryption (JOSE)
–  JSON Web Signature (JWS)
•  A way of representing content secured with a digital
signature or MAC using JSON data structures and base64url
encoding
–  JSON Web Encryption (JWE)
•  Like JWS but for encrypting content
–  JSON Web Key (JWK)
•  JSON data structures representing cryptographic keys
–  JSON Web Algorithms
•  Deﬁnes the use cryptographic algorithms and identiﬁers for
JWS, JWE and JWK !
•  JSON Web Token (JWT)
–  A compact URL-safe means of representing claims/attributes
to be transferred between two parties
–  A JWT is a JWS and/or a JWE with JSON claims as the
payload Copyright © 2014 Ping Identity Corp.All rights reserved. 4
JWT + JOSE Overview!
JWS JWE
JWT
JWK
JSON

•  Not even official RFCs yet but
–  Well regarded
–  And widely used:
•  OAuth
•  OpenID Connect
•  Mozilla Persona (ahem)
•  W3C Web Cryptography API
•  + more…
Three nerds holding a blurry piece of paper they tell me is
some kind of award for the JOSE & JWT work.
http://www.kuppingercole.com/article/award2014 !
5
JWT + JOSE in the Wild!

What’s in a Name?!
https://twitter.com/metadaddy/status/454422069199900672
JW*!

Copyright © 2014 Ping Identity Corp.All rights reserved. 7
But you wouldn't name your child ‘Attila the Hun’
would you?!
"Attila, Scourge of God"
http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg
I didn’t…

What would JOSE do? ‡ !
Call it
JW-STEAK
‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended by it, in which case
I’m not at all reluctant about blaming him. JW-
JWS
JWT
JWE
JWA
JWK

Because who doesn’t like a
good steak? !
Don Julio is a famous (to gringo tourists anyway) steakhouse
in Buenos Aires, Argentina - https://flic.kr/p/ezE99U

Okay, ﬁne…!
•  Technically speaking, my
vegan coworker does not like
steak
•  Even if it is ‘good’
•  But let’s not split hairs on this
one…

Awkward Transition… into some of the more technical details!
11
Few things are more
awkward than Paul Madsen
eating a Slim Jim while
wearing a sailor's outfit and
bowtie

All The Cool Kids Are Doing It!
{"JSON" : "a lightweight & human-readable data-interchange format"}!

The 64 Character Question!
•  base64
–  A means of encoding binary data in a printable ASCII string format
–  Each 6 bits -> 1 character
•  From a 64 character alphabet comprised of 62 alphanumeric characters and "+" and "/"
•  Also padding "="
–  3 bytes -> 4 characters
•  base64url
–  uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64
–  "-" rather than "+" and "_" rather than "/"
–  Padding "=" is typically omitted
•  A remaining unreserved URI character: "."
–  This will prove important shortly
Example: 32 random bytes encoded

base64: qOo+pY+LPDB7sA2nuMp4TzmCThieol/J+bAXqcB8pAU=
base64url: qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU

URL Encoded:
qOo%2BpY%2BLPDB7sA2nuMp4TzmCThieol%2FJ%2BbAXqcB8pAU%3D
qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU

A closer look at JOSE’s bits and pieces: JWS!
•  JSON Web Signature (JWS)
•  A way of representing content secured with a digital signature
or MAC
–  Using a JSON data structure and base64url encoding
–  Encoded segments are concatenated with a "."
–  Intended for space constrained environments such as HTTP
Authorization headers and URI query parameters
•  Conceptually Simple:
–  <Header>.<Payload>.<Signature>

JOSE’s bits and pieces: The JWS Header!
•  JWS Header is a bit of JSON that describes the digital signature or MAC operation applied
to create the JWS Signature value
•  Reserved Header Parameters
–  "alg": Algorithm
–  HMAC, RSA, RSA-PSS and ECDSA
–  Unsigned/none (controversy!)
–  Extensible
•  "kid": Key ID
•  "jku": JWK Set URL
•  "jwk": JSON Web Key
•  "x5u": X.509 URL
•  "x5t": X.509 Thumbprint
•  "x5c": X.509 Certificate Chain
•  "typ": Type
•  "cty": Content Type
Header Example:
"I signed this thing with RSA-SHA256
using key we known as ‘9er’ which you
can find the corresponding public key for
at https://www.example.com/jwks"
{"alg":"RS256", "kid":"9er",
"jku":"https://www.example.com/jwks"}

JOSE’s bits and pieces: JWS Algorithms!
Digital Signature or Message Authentication
Code Algorithm!
JWS "alg" Parameter Values!
HMAC using SHA2! HS256, HS384 and HS512!
RSASSA-PKCS1-V1_5 Digital Signatures with with
SHA2!
RS256, RS384 and RS512!
Elliptic Curve Digital Signatures (ECDSA) with SHA2! ES256, ES384 and ES512!
!
RSASSA-PSS Digital Signatures with SHA2! PS256, PS384 and PS512!
!
Unsigned Plaintext! none!

USA!
&!
Canada
vs.
a little context…

Jingoistic JWS Example!
Payload -> USA #1!
base64url encoded payload -> VVNBICMxIQ
Header (going to sign with ECDSA P-256 SHA-256 via "my-first-key") ->
{"alg":"ES256","kid":"my-first-key"}
base64url encoded header ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9
Secured Input ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ
base64url encoded signature over the Secured Input ->
QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-
TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
JWS Compact Serialization (line breaks after dots added for readability) ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.
VVNBICMxIQ.
QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-
TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
Which you can think of sort of like:
{"alg":"ES256","kid":"my-first-key"}."USA #1!".<SIGNATURE>

JOSE’s bits and pieces: JWE!
•  JSON Web Encryption
•  Similar in motivation and design to JWS but for encrypting content
•  A little more complicated
–  Headers
•  "alg": Algorithm (key wrap or agreement)
•  "enc": Encryption Method (Authenticated Encryption only)
•  "zip": Compression Algorithm
–  "DEF" for the DEFLATE Compressed Data Format from RFC 1951 is currently the only one
•  "kid”, “jku”, “jwk”, "x5u”, "x5t”, "x5c”, etc..
•  Five Parts
<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>

JOSE’s bits and pieces:  
!JWE Content Encryption Algorithms ("enc")!
Content Encryption Algorithm! JWE "enc" Parameter Values!
Authenticated encryption with Advanced Encryption
Standard (AES) in Galois/Counter Mode (GCM)!
A128GCM, A192GCM and
A256GCM!
Authenticated encryption with an AES-CBC and
HMAC-SHA2 composite !
A128CBC-HS256, A192CBC-
HS384 and A256CBC-HS512!

JOSE’s bits and pieces:  
!JWE Key Management Algorithms ("alg")!
Key Management Algorithm! JWE "alg" Parameter Values!
Direct encryption with a shared symmetric key! dir!
RSAES-PKCS1-V1_5 key encryption! RSA1_5!
RSAES using OAEP key encryption! RSA-OAEP and RSA-OAEP-256!
AES key wrap! A128KW,A192KW and A256KW!
AES GCM key encryption! A128GCMKW,A192GCMKW and A256GCMKW!
Elliptic Curve Diffie-Hellman Ephemeral Static key agreement
using Concat KDF!
ECDH-ES!
Elliptic Curve Diffie-Hellman Ephemeral Static key agreement
using Concat KDF with AES key wrap!
ECDH-ES+A128KW, ECDH-ES+A192KW and
ECDH-ES+A256KW!
PBES2 with HMAC SHA-2 and AES key wrapping! PBES2-HS256+A128KW, PBES2-
HS384+A192KW and PBES2-HS512+A256KW!

Payload/plaintext
-> I actually really like Canada
Header
-> {"kid":"use this one eh","alg":"RSA-OAEP","enc":"A128CBC-HS256"}
base64url encode header
-> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFU
CIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ
IV: base64url encoded 128 bit initialization vector -> OMRMiwPvh13089vcWAw_mg
Encrypted Key: RSA OAEP used wrap a 256 bit random key which is base64url encoded ->
knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3u
Z8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-
SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ
Ciphertext: base64url encoded AES 128 CBC encrypted payload -> G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw
Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> rCjFpLbuWKQMJLzQEP4aSw
JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) ->
eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ.
knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3u
Z8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-
SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ.
OMRMiwPvh13089vcWAw_mg.
G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw.
rCjFpLbuWKQMJLzQEP4aSw
Confessional JWE Example!

An aside, eh. !
Looking for material, I started to Google "never trust a Canadian"…
Brian Campbell!
@__b_c!
CIS 2014

JWT!
•  JSON Web Token
•  Suggested pronunciation: "jot"
•  Compact URL-safe means of representing claims to be
transferred between two parties
•  JWS and/or JWE with JSON claims as the payload
•  JWT Claim
–  A piece of information asserted about a subject (or the JWT
itself)
–  Represented name/value pairs, consisting of a Claim Name and
a Claim Value (which can be any JSON object)

•  "iss": Issuer
–  Who issued it
•  "sub": Subject
–  Who’s it about
•  "aud": Audience
–  Who’s it for
•  "exp": Expiration Time
–  When it expires
•  "nbf": Not Before
–  When it starts being value
•  "iat": Issued At
–  When it was issued
•  "jti": JWT ID
–  A unique identiﬁer for it
(some) Reserved JWT Claim Names!

jot or not?!
The
JWT

eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV
4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVM
ng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.
The
Header

{"kid":"5","alg":"ES256"}

The
Payload

{"iss":"https://idp.example.com",

"exp":1357255788,

"aud":"https://sp.example.org",

"jti":"tmYvYVU2x8LvN72B5Q_EacH._5A",

"acr":"2",

"sub":"Brian"}

it’s not the size of your token…!
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGx
lLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwi
kgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg

<Assertion
Version="2.0"
IssueInstant="2013-‐01-‐03T23:34:38.546Z"
ID="oPm.DxOqT3ZZi83IwuVr3x83xlr"

xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<Issuer>https://idp.example.com</Issuer>

<ds:Signature><ds:SignedInfo>

<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-‐exc-‐c14n#"/>

<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-‐more#ecdsa-‐sha256"/>

<ds:Reference
URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr">

<ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-‐signature"/>

<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-‐exc-‐c14n#"/></ds:Transforms>

<ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

<ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue>

</ds:Reference></ds:SignedInfo>

<ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue>

</ds:Signature>

<Subject>

<NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-‐format:unspecified">Brian</NameID>

<SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

<SubjectConfirmationData
NotOnOrAfter="2013-‐01-‐03T23:39:38.552Z"
Recipient="https://sp.example.org"/>

</SubjectConfirmation>

</Subject>

<Conditions
NotOnOrAfter="2013-‐01-‐03T23:39:38.552Z"
NotBefore="2013-‐01-‐03T23:29:38.552Z">

<AudienceRestriction><Audience>https://sp.example.org</Audience></AudienceRestriction>

</Conditions>

<AuthnStatement
AuthnInstant="2013-‐01-‐03T23:34:38.483Z"
SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr">

<AuthnContext><AuthnContextClassRef>2</AuthnContextClassRef></AuthnContext>

</AuthnStatement>

</Assertion>

…it’s how you use it!
•  Simpler = Better
•  Web safe encoding w/ no canonicalization
(Because canonicalization is a four letter word*)
•  Improved Interoperability & (hopefully) More
Secure
•  Eliminates entire classes of attacks
–  XSLT Transform DOS, Remote Code Execution, and Bypass
–  C14N Hash Collision w/ & w/out comments
–  Entity Expansion Attacks
–  XPath Transform DOS and Bypass
–  External Reference DOS
–  Signature Wrapping Attacks
Brad Hill, pictured here speaking at CIS in 2011, is wicked smaht and
published some of these attacks
* especially when you spell it c14n

JSON Web Key (JWK)!
•  JSON data structure representing cryptographic key(s)
–  Public/private keys: RSA & Elliptic Curve
–  Symmetric keys (octet sequence)
•  Can can be
–  included in a JWS/JWE/JWT header
–  published at an HTTPS endpoint and referenced
–  used in place of self signed certificates
–  saved in a file
–  sent in an email
–  and more

JWK & JWT Working Together!
JWT/JWS
Header

{

"kid":"5",

"alg":"ES256"

}

JWK
Set

{"keys":[
{"kty":"EC",
"kid":"4",
"x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo",
"y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A",
"crv":"P-256"},
{"kty":"EC",
"kid":"5",
"x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
"crv":"P-256"},
{"kty":"EC",
"kid":"6",
"x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00",
"y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU",
"crv":"P-256"}
]}

Simple Is As Simple Does!
• The relative simplicity of JW[STEAK]
implies a simple programming interface!
• Numerous implementations already exist
for a wide variety of languages/platforms !
• Going to make you take quick look at one
of them… !

Introducing jose4j!
•  Open source Java implementation of the JOSE specification suite
–  https://bitbucket.org/b_c/jose4j
•  Relies solely on the JCA APIs for cryptography
•  100% Algorithm Support
•  Production ready
–  Used throughout Ping Identity’s products
•  Reference[able] implementation
–  Fact checked the JOSE cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A
•  Completely free of NSA backdoors
–  (but I’m open to "sponsorship" opportunities)

Producing the aforementioned JWS !
PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);!
jwk.setKeyId("my-first-key");!
!
JsonWebSignature jws = new JsonWebSignature();!
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);!
jws.setPayload("USA #1!");!
jws.setKey(jwk.getPrivateKey());!
jws.setKeyIdHeaderValue(jwk.getKeyId());!
String compactSerialization = jws.getCompactSerialization();!
!
System.out.println(compactSerialization);!
!

Consuming that JWS!
JsonWebKey jwk = JsonWebKey.Factory.newJwk("{"kty":"EC"," +!
""kid":"my-first-key"," +!
""x":"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ"," +!
""y":"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk"," +!
""crv":"P-256"}");!
!
String compactSerialization = !
"eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." +!
"VVNBICMxIQ." +!
"QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAU" + !
"REzF1FF25BbrgyohbKdGE1cB-hrA";!
!
JsonWebSignature jws = new JsonWebSignature();!
jws.setCompactSerialization(compactSerialization);!
jws.setKey(jwk.getKey());!
String payload = jws.getPayload();!
!
System.out.println(payload);!
!

Producing the aforementioned JWE !
String jwkJson =!
"{"kty":"RSA"," +!
""kid":"use this one eh"," +!
""n":"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5X"+!
"vT8bQO39k34s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtr" +!
"GJdXxQEgDE7Wg1YYi0yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZV" +!
"C5b61R37akzTB3abdAIBf4-UBLrvNgl0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw"," +!
""e":"AQAB"}";!
!
JsonWebKey jwk = JsonWebKey.Factory.newJwk(jwkJson);!
!
JsonWebEncryption jwe = new JsonWebEncryption();!
jwe.setPayload("I actually really like Canada");!
jwe.setKey(jwk.getKey());!
jwe.setKeyIdHeaderValue(jwk.getKeyId());!
jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP);!
jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);!
String compactSerialization = jwe.getCompactSerialization();!
!
System.out.println(compactSerialization); !
!

Consuming that JWE (1 of 2) !
String jwkJson =!
"{"kty":"RSA"," +!
""kid":"use this one eh"," +!
""n":"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5XvT8bQO39k3" +!
"4s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtrGJdXxQEgDE7Wg1YYi0" +!
"yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZVC5b61R37akzTB3abdAIBf4-UBLrvNgl" +!
"0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw"," +!
""e":"AQAB"," +!
""d":"p1umPOWUnf-rTylRVnhG75sF7N3tyG_r86ZM2hV8qAShMgnzbZYefNg2Vxh2cobXUMLF0TncuUxAusCrNSgUyrjHjHDIws03" +!
"VdzphFPd3oI9o6_2hSBWJ6OWB5VEDAd1Cc_HKy4iPWUZWlk__G3RQg524_0Wfgp_1bTIyeGLEt6GGAasCRoi4crZ_cKLkzB3ZmwoIF" +!
"X4Z-jU6AKp_rCarj45tqdgpzIHKYuA2HjgGJwevknhTVEjY6stAiTXWJ4M8YxIwqQ-tCj1GM5pfvJNIzaW2KoZ234ll_DFnUDnAE1R" +!
"O22oBfW-iYsHcrNtslHxYDkGnOGFkJAOnbF8ihaQcQ","p":"6JVJlrObtg02Sr0ZqERiOZMxf3lE8TK8j5cU5VBYYvfebtjI2" +!
"_wW_uT_N_wIETodgWJgkPlejrQM4B-inB8VfUPBe8RCRGmXf5jqyKf7r5XwGabda3UjaTwoAUxYSgb2HH4IU4KNMJ-rFuG2Nzz0t2W" +!
"7PtqHJjrcF3i952oKAGU","q":"3-dPMaO1JerkElaP4FMV1Fio-ZFJwf5xCLMFdJZstLkKY7H63bxOb77iQ5xEOSWY4yScfXZ" +!
"hp2S1v0Plub-qTeuGHXt-T2rugGAmIKlPzkQU6aiGFXqwCK2TrETQkV5Pf__PRHhaJ1rTbGVyAvqL2vAoI46XwSMmLINncDy2xGM"," +!
""dp":"T9bXYQ0cuZzFc1iAkzuOQFdf2XNmkCmrgtsJCELRZH_T8lcmdCWQO0WeurggiNFbSYvcvEduByyVcuZJKrCc7tgwde0EFn" +!
"ns0JdMmT7Y7ghZWGTogze9xSUqUm_Dqv3CxDsbXpdlIjjdQUiQBVw-YSph4YygciYoYUJIZkUHU-U"," +!
""dq":"wklQ6t4HPlPIfDEov5rZAl28onJz8iX7p3TQcw5kXZ2DambyLJ5N4aFdbRWYDY6WT-Ng921V5474NnOQT9IE0YBh7AtQ21E" +!
"Ki9LiwsyoN2_URby6PMEtJxqXXZCI-ts_WO58yAk3EZc6hoCwoe0Olnh2HASLokgBw_ZyN243mck"," +!
""qi":"4n-fctilEl81ig_NIa0GFHjV1wiMR5E9RuwJIrSnG6kDBZp2wxjRd8HY96xAC_mwKZzRLxHZnukLaSi4f43-wRuURQaIj8z" +!
"P8UFgH73C4sOp9rgRhsUlceniIasGE-3FKW0_2ofNMCNimYuSSIXfIyNvMdtptlg3BJv4gizH_l4"}";!

Consuming that JWE (2 of 2) !
String jwecs = !
"eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ." + !
"knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0M" + !
"lmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4" +!
"wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhY" + !
"V-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ." +!
"OMRMiwPvh13089vcWAw_mg." +!
"G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw." +!
"rCjFpLbuWKQMJLzQEP4aSw";!
!
PublicJsonWebKey jwk = PublicJsonWebKey.Factory.newPublicJwk(jwkJson);!
!
JsonWebEncryption jwe = new JsonWebEncryption();!
jwe.setCompactSerialization(jwecs);!
jwe.setKey(jwk.getPrivateKey());!
String payload = jwe.getPayload();!
!
System.out.println(payload);!
!

Yes, ﬁnished. See you at Boot Camp (maybe).!
Thank you!!
!
!
!
!
!
!
!
!
!
Brian Campbell!
@__b_c!
CIS 2014 !
https://ﬂic.kr/p/f7zK1V!

CIS14: I Left My JWT in San JOSE

Recommended

Recommended

More Related Content

What's hot

What's hot (9)

Viewers also liked

Viewers also liked (19)

Similar to CIS14: I Left My JWT in San JOSE

Similar to CIS14: I Left My JWT in San JOSE (20)

More from CloudIDSummit

More from CloudIDSummit (20)

Recently uploaded

Recently uploaded (20)

CIS14: I Left My JWT in San JOSE