The JSON-based Identity Protocol Suite
Download as PPTX, PDF4 likes4,966 views
The document discusses the JSON-based Identity Protocol Suite, which defines standards for JSON Web Tokens (JWTs), JSON Web Encryption (JWE), JSON Web Keys (JWK), and JSON Web Signatures (JWS). JWTs are compact tokens passed in HTTP that contain claims and can be signed or encrypted. JWE defines how to encrypt JWTs using symmetric or asymmetric encryption. JWK defines public key representations in JSON. JWS defines how to digitally sign JWTs using symmetric or asymmetric signatures. These standards are defined by the IETF and provide a common way to securely transmit identity and authorization data.
![JWK Example
{“keyvalues” : {“algorithm” : “RSA”,
[ “modulus” : “…”,
{“algorithm” : “EC”, “exponent” : “…”,
“curve” : “P-256”, “keyid” : “…”}
]
“x” : “…”,
}
“y” : “…”,
“use” : “encryption”,
“keyid” : “1”},
Copyright © 2013 Twobo Technologies AB.](https://image.slidesharecdn.com/jwt-130305011253-phpapp01/85/The-JSON-based-Identity-Protocol-Suite-9-320.jpg)
The JSON-based Identity Protocol Suite
- 1. The JSON-based Identity Protocol Suite By Travis Spencer Copyright © 2013 Twobo Technologies AB.
- 2. Overview of the Protocol Suite JavaScript Object Notation (JSON) – Data encoding format popularized by AJAX & REST All being defined in IETF Used to encode OAuth 2.0 security model Tokens (JWT) Encryption (JWE) Keys (JWK) Signatures (JWS) OAuth 2.0 Bearer Token spec binds it to OAuth Basis of OAuth and OpenID Connect Copyright © 2013 Twobo Technologies AB.
- 3. Overview of JWT JWT – pronounced “jot” – are lightweight tokens passed in HTTP headers & query strings Three basic sections – header, claims, signature Akin to SAML tokens Less expressive Less security options Encoded w/ JSON not XML for compactness Copyright © 2013 Twobo Technologies AB.
- 4. Basic Layout & Wire Format Header Claims Crypto JWT Token base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Crypto) Copyright © 2013 Twobo Technologies AB.
- 5. Claims Section Reserved (but optional) claim names Expiration time (exp) Issuer (iss) Not before (nbf) Type (typ) Issued at (iat) Audience (aud) Public claim names IANA JWT claims registry Domain name, OID, or UUID Private claim names – Any unused name Value can be any JSON type Copyright © 2013 Twobo Technologies AB.
- 6. Overview of JWE Used to encrypt JWTs Supports symmetric & asymmetric encryption Three basic sections – header, key, ciphertext Plaintext may be signed first Encryption algorithm RSA1_5 A(128|256)KW RSA-OAEP A(128|256)GCM ECDH-ES Cyphertext is put in the crypto section of the JWT Copyright © 2013 Twobo Technologies AB.
- 7. Basic Layout & Wire Format Header Key Ciphertext JWE JWE = base64url(Header) + “.” + base64url(Key) + “.” + base64url(Ciphertext) Copyright © 2013 Twobo Technologies AB.
- 8. Overview of JWK Array of public keys encoded as JSON objects Intended for inclusion in JWS for signature verification Explicit support for Elliptic Curve and RSA keys Copyright © 2013 Twobo Technologies AB.
- 9. JWK Example {“keyvalues” : {“algorithm” : “RSA”, [ “modulus” : “…”, {“algorithm” : “EC”, “exponent” : “…”, “curve” : “P-256”, “keyid” : “…”} ] “x” : “…”, } “y” : “…”, “use” : “encryption”, “keyid” : “1”}, Copyright © 2013 Twobo Technologies AB.
- 10. Overview of JWS Header input is JWT header Payload input is JWT claims Output is appended to JWT inputs & (optionally) points to the JWK that was used Supports symmetric & asymmetric signing algorithms HMAC SHA RSA SHA ECDSA w/ curve P & SHA Copyright © 2013 Twobo Technologies AB.
- 11. Basic Layout & Wire Format Header Payload JWS JWS = base64url(sig(base64url(Header) + “.” + base64url(Payload))) Copyright © 2013 Twobo Technologies AB.
- 12. Questions & Thanks @2botech @travisspencer www.2botech.com www.travisspencer.com Copyright © 2013 Twobo Technologies AB.
Editor's Notes
- #5: Crypto = Signature & Ciphertext