Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

The JSON-based Identity Protocol Suite

An overview of the JSON-based identity protocol suite, including JWT, JWE, JWK, etc.

  • Sé el primero en comentar

The JSON-based Identity Protocol Suite

  1. 1. The JSON-based Identity Protocol Suite By Travis SpencerCopyright © 2013 Twobo Technologies AB.
  2. 2. Overview of the Protocol Suite JavaScript Object Notation (JSON) – Data encoding format popularized by AJAX & REST All being defined in IETF Used to encode OAuth 2.0 security model  Tokens (JWT) Encryption (JWE)  Keys (JWK) Signatures (JWS) OAuth 2.0 Bearer Token spec binds it to OAuth Basis of OAuth and OpenID ConnectCopyright © 2013 Twobo Technologies AB.
  3. 3. Overview of JWT JWT – pronounced “jot” – are lightweight tokens passed in HTTP headers & query strings Three basic sections – header, claims, signature Akin to SAML tokens  Less expressive  Less security options  Encoded w/ JSON not XML for compactnessCopyright © 2013 Twobo Technologies AB.
  4. 4. Basic Layout & Wire Format Header Claims Crypto JWT Tokenbase64url(Header) + “.” + base64url(Claims) + “.” + base64url(Crypto)Copyright © 2013 Twobo Technologies AB.
  5. 5. Claims Section Reserved (but optional) claim names  Expiration time (exp) Issuer (iss)  Not before (nbf) Type (typ)  Issued at (iat) Audience (aud) Public claim names  IANA JWT claims registry  Domain name, OID, or UUID Private claim names – Any unused name Value can be any JSON typeCopyright © 2013 Twobo Technologies AB.
  6. 6. Overview of JWE Used to encrypt JWTs Supports symmetric & asymmetric encryption Three basic sections – header, key, ciphertext Plaintext may be signed first Encryption algorithm  RSA1_5 A(128|256)KW  RSA-OAEP A(128|256)GCM  ECDH-ES Cyphertext is put in the crypto section of the JWTCopyright © 2013 Twobo Technologies AB.
  7. 7. Basic Layout & Wire Format Header Key Ciphertext JWE JWE = base64url(Header) + “.” +base64url(Key) + “.” + base64url(Ciphertext)Copyright © 2013 Twobo Technologies AB.
  8. 8. Overview of JWK Array of public keys encoded as JSON objects Intended for inclusion in JWS for signature verification Explicit support for Elliptic Curve and RSA keysCopyright © 2013 Twobo Technologies AB.
  9. 9. JWK Example{“keyvalues” : {“algorithm” : “RSA”, [ “modulus” : “…”, {“algorithm” : “EC”, “exponent” : “…”, “curve” : “P-256”, “keyid” : “…”} ] “x” : “…”, } “y” : “…”, “use” : “encryption”, “keyid” : “1”},Copyright © 2013 Twobo Technologies AB.
  10. 10. Overview of JWS Header input is JWT header Payload input is JWT claims Output is appended to JWT inputs & (optionally) points to the JWK that was used Supports symmetric & asymmetric signing algorithms  HMAC SHA RSA SHA  ECDSA w/ curve P & SHACopyright © 2013 Twobo Technologies AB.
  11. 11. Basic Layout & Wire Format Header Payload JWSJWS = base64url(sig(base64url(Header) + “.” + base64url(Payload))) Copyright © 2013 Twobo Technologies AB.
  12. 12. Questions & Thanks @2botech @travisspencer www.2botech.com www.travisspencer.comCopyright © 2013 Twobo Technologies AB.

×