The document discusses JSON Web Tokens (JWTs) which are an open standard for securely transmitting authorization data between parties as a JSON object. It describes JWTs as being relatively small, non-persistent tokens that can be signed or encrypted and support asymmetric cryptography. An example JWT is provided that contains a header specifying the signing algorithm and type, and a payload containing claims like the subject, expiration time, and authorized methods.

1. Adam Young (ayoung)
Lance Bragstad (lbragstad)
JWS tokens
Past, Present, and Future

2. IMAGINE IF
we had a token compatible with
OpenStack
and everything else

3. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A

4. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A

5. What is a token?
GET /v2/b5a951/servers HTTP/1.1
Host: servers.api.openstack.org
Accept: application/json
X-Auth-Token: $TOKEN

6. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A

7. Why not use UUID tokens?
They must be persisted.
779810523fb24886b67a23f4f823b685

8. Why not use PKI tokens?
They are huge.
MIIE-gYJKoZIhvcNAQcCoIIE7zCCBOsCAQExDTALBglghkgBZQMEAgEwggNMBgkqhkiG9w0BBwGgggM9BIIDO
XsidG9rZW4iOnsibWV0aG9kcyI6WyJwYXNzd29yZCJdLCJyb2xlcyI6W3siaWQiOiIzNjBiMTc3ZDhjMjM0
N2ZmOTVlMGFjMTYxNWJhOGZiNiIsIm5hbWUiOiJhZG1pbiJ9XSwiZXhwaXJlc19hdCI6IjIwMTUtMDItMjZ
UMDU6NDg6MjYuMDk0MDk4WiIsInByb2plY3QiOnsiZG9tYWluIjp7ImlkIjoiZGVmYXVsdCIsIm5hbWUiOi
JEZWZhdWx0In0sImlkIjoiNTkwMDJjZTczOWYxNDNiYjhiMmNjMzNjYWY5OGZjZjkiLCJuYW1lIjoiYWRta
W4ifSwiY2F0YWxvZyI6W3siZW5kcG9pbnRzIjpbeyJyZWdpb25faWQiOm51bGwsInVybCI6Imh0dHA6Ly8x
MDQuMjM5LjE2My4yMTU6MzUzNTcvdjMiLCJyZWdpb24iOm51bGwsImludGVyZmFjZSI6ImFkbWluIiwiaWQ
iOiI5YTI5ZWFmMjBmNzk0MmI2YjljOTZjZmIwYWEwMmEzZSJ9LHsicmVnaW9uX2lkIjpudWxsLCJ1cmwiOi
JodHRwOi8vMTA0LjIzOS4xNjMuMjE1OjM1MzU3L3YzIiwicmVnaW9uIjpudWxsLCJpbnRlcmZhY2UiOiJwd
WJsaWMiLCJpZCI6ImQzMjMzYWZkMmI2MDQxZDRhMzlmOGFjMTIzMzc1N2ZkIn1dLCJ0eXBlIjoiaWRlbnRp
dHkiLCJpZCI6IjFiNzk2ZTIxNGY4MTQwMTE4MTA4YTdlNGU0Y2E2ZTE2IiwibmFtZSI6IktleXN0b25lIn1
dLCJleHRyYXMiOnt9LCJ1c2VyIjp7ImRvbWFpbiI6eyJpZCI6ImRlZmF1bHQiLCJuYW1lIjoiRGVmYXVsdC
J9LCJpZCI6Ijg1YTlhZjE0NWRkYjRkMTlhOTU0NGRmYmVhYzVkMWYwIiwibmFtZSI6ImFkbWluIn0sImF1Z
Gl0X2lkcyI6WyJZeW9iU2FIY1ROQ3U3c2V1c2RUdHBRIl0sImlzc3VlZF9hdCI6IjIwMTUtMDItMjZUMDU6
MzM6MjYuMDk0MTI3WiJ9fTGCAYUwggGBAgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4
wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATALBg
lghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAYJR+ETbjA4RpgToeRm0qh-zxRWyBL4RdN99hLHV6foIpc
r6uXMN-DaUJvGygPDi1wi-HAbpErJAe9iRHk4+8BUnX--jQRTaYhkg237eyjpYHU8Hgt8Ydn7Wdnn0hriXK
t+RZBG-ZEnnP-MZ9V9GGJz-BoAMHx42uF5j6mlfVvUxtJGSaZ2wPROkLIHAjrX-8zEo8YhtGQHi-rFvXOoP
+w8TVb907R2WNsGs3LbFKRmDv-yev6pMnz+gQu8uImf2idd18hyEYdw8M9bgZc2YsGBiPSeIm-VhzH9qTX0
e7fK-chhAE+saIEbl5Mw0PzybhTyKHRzqtsW4HWFOlbE0yOA==

9. Why not use PKIZ tokens?
They are still huge.
PKIZ_eJxtVcmSozgUvPMVc6_oKMBgm0Mf2IzBCIpVlm4sNiAEtssLy9eP7K6Jqo4YboCUysyX7-nXL_ZopmV7
_-gger784oBtm-8VcnYnbNePwlODQj-xb6tZ1zX_qquBORqx6moVreq20nAATLUyh6rygFa1F65uG0sZeE0
brKqqgKLZtuHvr01pKZ8YSo3fX5scpnxmKW0x2Us4OQPae3MpKhPWnZJzdWfKxZG-fi6uTQaDxm9s2TPAgE
gwe10i-9DkPWLOfkwpIJWMYq32LId4c7LgfN2-2p1c5zBhG50aW8I5bxxlHw0N3tdDtndoISh1qdtLm9gDi
JMbMOwbIDgBBlpyIEZLQII7mNuJnTrDhgH2GmN1pmgRvCRgS7khSO82Oa_sjrY2ObFvaYf26ZUr_2ZgYojr
Eo683fPX78WmhOaw82MgITHtPCvhgWjzvpW2HLBwh4nX-kYgYENtmCd3BAX63IhgeMuYkUcmB4kbHsHxgb-
8wlBuC0s5c3kfzoxafpicCcPynIvy8WVkJwu5NTA56ZQ_9Xc1X27VpTutR2AwyQTILjFFDkzSxIxZgjmZvb
h4lAQ8WXyBSd9AHb2XVjrhbkNw9ATctDnzhbOb4at0Tu2RkIC4HX3DHDFBPIYhRXG1AHNKEUEy6hAPIJhw5
Cju9toUXdpzGVTue_Fp1vnOzLuy04WiG56Ap3IbDn6zfoBY5V1iz34kjR4BjL4p-AQI4JkDd4HmJ4sn2hPs
B9CZ-UOLDtdIfFVoKKFzzeBL4hm_fAELDhgVQy07TwwpjkMmg9a-0cqsTIJnPdPXDqBDC7sXSraRP-y1V4U
yJo8dcObKbfuNSBIex7YErISFqlpgI-CxUdYotmcQOy0mxeiJKYuwR5-s825z416Otjd62Hs8KyH9Ooketu
GE9oAl8aa8fBHT6U8Sw0cONyzu9pKV_sz90cLodxsh3wZ_BSn8imupO8o3S6_GsSkxhjyaW55jNAVECtm37
AUmlQQgK6eFJCAC-T-aP-v-J-IbAVuUf1aP--rxNklGMekrIRM290g8NxnFt6yjJOmd3qavvpiLRUrx5u_O
5H62JjDMH52JJMja-hhbuooSNoEsjU0iDWyGIZ1NF6itpQqJyWk10NMUjAZR2YjyUrYKaGl6Z6bxIJAGQ0V
GGgRbQ03TvPdoaZg-UIfXZr0aNlwK5Rnvg9EyVPgHAABjUS7KSaYHa3MrrJG6nffIA1tT_2c2ckbwc6Camh
aoZlWZ6s5fHiM7FSN_F4LPwIZ62eK-Ck7bCCpG5gpWk55VZuJb-wZ30-Uwfh6c4_0Srgp12Ak0si9usTwdm
uUcuHlIuqUjXarRXcN-_THIn6tdAN-nPSg57PGwD4Wt2Avm6qpmghnW1w0ZrGUX7cQ3MprKmr7nWFmkufam
ysNiZfWSqNPDabMl54Q7ykPw2Gzxx1G8gzcNvGvRvTCjTLAqtQ1dZ7xM-zxbbam8Vha3SgGNhxL8-bESItc
8SiF3PhHSXD4Mfztp16N2Em_F8CYqviBlaj917zPUwf2h-1nsiVSIpWGKeu-Gdtc6rtfD2eRWEbn5VNhNU-
wivHb8i14U1yo6RNH7qf0Y4ValpVTG9nR4NMHv39zrQjM94_ty-xc2_Erg

10. Why not use Fernet tokens?
They require symmetric encryption and signing.
gAAAAABU7roWGiCuOvgFcckec-
0ytpGnMZDBLG9hA7Hr9qfvdZDHjsak39YN98HXxoYLIqVm19Egku5YR3wyI7heVrOmPNEtmr-
fIM1rtahudEdEAPM4HCiMrBmiA1Lw6SU8jc2rPLC7FK7nBCia_BGhG17NVHuQu0S7waA306jyKNhHwUnp
sBQ=

11. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A

12. What is a JSON Web Token?
An open standard for sharing authorization data.

13. What is a JSON Web Token?
detailed in RFC 75[1][9568]
defines a set of public claims
allows implementations to supply private claims
supports signed and encrypted payloads
supports asymmetric cryptography

14. JSON Web Token (RFC 7519)
relatively small, non-persistent, asymmetric, setup, online validation
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcGVuc3RhY2tfcHJvamVjdF9pZCI6IjMzMzNhMDQ0ZW
MyYzQxMzNhMWQ0NGI1ZmRhYjBjMjg2Iiwic3ViIjoiM2ZlMTUxMTNjZjc5NGU4ZjljNWRhZDlmMTA3M2I
wODkiLCJleHAiOjE1NTQxMzMzMzEsIm9wZW5zdGFja19hdWRpdF9pZHMiOlsiZW1BUVRCZWVSVmFidzI4
QW9FRURqdyJdLCJpYXQiOjE1NTQxMjk3MzEsIm9wZW5zdGFja19tZXRob2RzIjpbInBhc3N3b3JkIl19.
tHcVIaW43RwREduckh2itJ_RrZ5Dc-
tFElox1SsORO3Q7DsDLlWDQbuhCRuRd6_QgB0Brm1x_q7aB2lZcHy_fw=

15. JWT header
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcGVuc3RhY2tfcHJvamVjdF9pZCI6IjMzMzNhMDQ0ZW
MyYzQxMzNhMWQ0NGI1ZmRhYjBjMjg2Iiwic3ViIjoiM2ZlMTUxMTNjZjc5NGU4ZjljNWRhZDlmMTA3M2I
wODkiLCJleHAiOjE1NTQxMzMzMzEsIm9wZW5zdGFja19hdWRpdF9pZHMiOlsiZW1BUVRCZWVSVmFidzI4
QW9FRURqdyJdLCJpYXQiOjE1NTQxMjk3MzEsIm9wZW5zdGFja19tZXRob2RzIjpbInBhc3N3b3JkIl19.
tHcVIaW43RwREduckh2itJ_RrZ5Dc-
tFElox1SsORO3Q7DsDLlWDQbuhCRuRd6_QgB0Brm1x_q7aB2lZcHy_fw=

16. {"alg": "ES256", "typ": "JWT"}

17. JWT payload
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcGVuc3RhY2tfcHJvamVjdF9pZCI6IjMzMzNhMDQ0ZW
MyYzQxMzNhMWQ0NGI1ZmRhYjBjMjg2Iiwic3ViIjoiM2ZlMTUxMTNjZjc5NGU4ZjljNWRhZDlmMTA3M2I
wODkiLCJleHAiOjE1NTQxMzMzMzEsIm9wZW5zdGFja19hdWRpdF9pZHMiOlsiZW1BUVRCZWVSVmFidzI4
QW9FRURqdyJdLCJpYXQiOjE1NTQxMjk3MzEsIm9wZW5zdGFja19tZXRob2RzIjpbInBhc3N3b3JkIl19.
tHcVIaW43RwREduckh2itJ_RrZ5Dc-
tFElox1SsORO3Q7DsDLlWDQbuhCRuRd6_QgB0Brm1x_q7aB2lZcHy_fw=

18. {"openstack_project_id": "3333a044ec2c4133a1d44b5fdab0c286","sub":
"3fe15113cf794e8f9c5dad9f1073b089","exp": 1554133331,"openstack_audit_ids":
["emAQTBeeRVabw28AoEEDjw"],"iat": 1554129731,"openstack_methods": ["password"]}

19. JWT signature
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcGVuc3RhY2tfcHJvamVjdF9pZCI6IjMzMzNhMDQ0ZW
MyYzQxMzNhMWQ0NGI1ZmRhYjBjMjg2Iiwic3ViIjoiM2ZlMTUxMTNjZjc5NGU4ZjljNWRhZDlmMTA3M2I
wODkiLCJleHAiOjE1NTQxMzMzMzEsIm9wZW5zdGFja19hdWRpdF9pZHMiOlsiZW1BUVRCZWVSVmFidzI4
QW9FRURqdyJdLCJpYXQiOjE1NTQxMjk3MzEsIm9wZW5zdGFja19tZXRob2RzIjpbInBhc3N3b3JkIl19.
tHcVIaW43RwREduckh2itJ_RrZ5Dc-
tFElox1SsORO3Q7DsDLlWDQbuhCRuRd6_QgB0Brm1x_q7aB2lZcHy_fw=

20. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)

21. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)

22. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)

23. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)

24. Public claims
principal of the JWT
expiration time
issued at time

25. Public claims
"sub": "3fe15113cf794e8f9c5dad9f1073b089"
"exp": 1554133331
"iat": 1554129731

26. Private claims
token scope
auditing information
authentication methods

27. Private claims
"openstack_project_id": "3333a044ec2c4133a1d44b5fdab0c286"
"openstack_audit_ids": ["emAQTBeeRVabw28AoEEDjw"]
"openstack_methods": ["password"]

28. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A

29. Comparing Fernet and JWS
non-persistence and online validation*
opacity, symmetric versus asymmetric, key rotation and distribution

30. Encryption and signing details
Fernet uses a 128-bit AES-CBC encryption key + 128-bit SHA256 HMAC
signing key

31. Encryption and signing details
JWS uses the ES256 JWA signing with ECDSA using the P-256 curve and
the SHA256 HMAC

32. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A

33. Configuring JWS
keystone.conf [token] provider = jws
keystone.conf [jwt_tokens] jws_public_key_repository
keystone.conf [jwt_tokens] jws_private_key_repository

34. Configuring JWS
keystone.conf [token] provider = jws
/etc/keystone/jws-keys/public
/etc/keystone/jws-keys/private

35. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A

36. How do we create key pairs?
keystone-manage create_jws_keypair
ECDSA key pair using a secp256r1 (NIST P-256) curve

37. JWS key rotation and distribution
on-disk key repositories
each API server needs a public-private key pair
keystone-manage doesn't handle rotation

38. JWS key-pair management
node1 node2 node3
create key pair
distribute public key
configure private key

39. JWS key-pair management
node1 node2 node3
pub1.pem create key pair
pri1.pem distribute public key
configure private key

40. JWS key-pair management
node1 node2 node3
pub1.pem pub1.pem pub1.pem create key pair
pri1.pem distribute public key
configure private key

41. JWS key-pair management
node1 node2 node3
pub1.pem pub1.pem pub1.pem create key pair
pri1.pem pub2.pem distribute public key
pri2.pem configure private key

42. JWS key-pair management
node1 node2 node3
pub1.pem pub1.pem pub1.pem create key pair
pub2.pem pub2.pem pub2.pem distribute public key
pri1.pem pri2.pem configure private key

43. JWS key-pair management
node1 node2 node3
pub1.pem pub1.pem pub1.pem create key pair
pub2.pem pub2.pem pub2.pem distribute public key
pri1.pem pri2.pem pub3.pem configure private key
pri3.pem

44. JWS key-pair management
node1 node2 node3
pub1.pem pub1.pem pub1.pem create key pair
pub2.pem pub2.pem pub2.pem distribute public key
pub3.pem pub3.pem pub3.pem configure private key
pri1.pem pri2.pem pri3.pem

45. JWS key-pair management
node1 node2 node3
pub1.pem pub1.pem pub1.pem create key pair
pub2.pem pub2.pem pub2.pem distribute public key
pub3.pem pub3.pem pub3.pem configure private key
pri1.pem pri2.pem pri3.pem

46. JWS tokens
What is a token?
Understanding historical context behind token formats
What is a JWT/S?
Comparing Fernet and JWS
Configuring JWS
Notes about key rotation and distribution
What's next for JWS?
Q&A

47. What's next for JWS?
beyond OpenStack operations
nested JWTs
offline validation
per-domain token signing
additional JWA algorithms

48. beyond OpenStack operations
test with OpenID Connect
interoperability with kubernetes
identify other JWS consumers
identify other private claims

49. nested JWTs
encrypt then sign
privacy
drop-in replacement for fernet

50. offline validation
make use of PKI
token contains all information for validation
caching role information and token catalog at the service
short token lifespan is required to avoid revocation
Keystone-to-Keystone (K2K) federation use cases

51. per-domain token signing
split massive deployments into regions
multiple domains per region
consolidate assignments
independent upgradeability across clusters

52. additional JWA algorithms
currently only support ES256
better cryto-agility