More Related Content
Similar to The JSON-based Identity Protocol Suite (20)
The JSON-based Identity Protocol Suite
- 2. Overview of the Protocol Suite
JavaScript Object Notation (JSON) – Data
encoding format popularized by AJAX & REST
All being defined in IETF
Used to encode OAuth 2.0 security model
Tokens (JWT) Encryption (JWE)
Keys (JWK) Signatures (JWS)
OAuth 2.0 Bearer Token spec binds it to OAuth
Basis of OAuth and OpenID Connect
Copyright © 2013 Twobo Technologies AB.
- 3. Overview of JWT
JWT – pronounced “jot” – are lightweight tokens
passed in HTTP headers & query strings
Three basic sections – header, claims, signature
Akin to SAML tokens
Less expressive
Less security options
Encoded w/ JSON not XML for compactness
Copyright © 2013 Twobo Technologies AB.
- 4. Basic Layout & Wire Format
Header
Claims
Crypto
JWT Token
base64url(Header) + “.” + base64url(Claims) +
“.” + base64url(Crypto)
Copyright © 2013 Twobo Technologies AB.
- 5. Claims Section
Reserved (but optional) claim names
Expiration time (exp) Issuer (iss)
Not before (nbf) Type (typ)
Issued at (iat) Audience (aud)
Public claim names
IANA JWT claims registry
Domain name, OID, or UUID
Private claim names – Any unused name
Value can be any JSON type
Copyright © 2013 Twobo Technologies AB.
- 6. Overview of JWE
Used to encrypt JWTs
Supports symmetric & asymmetric encryption
Three basic sections – header, key, ciphertext
Plaintext may be signed first
Encryption algorithm
RSA1_5 A(128|256)KW
RSA-OAEP A(128|256)GCM
ECDH-ES
Cyphertext is put in the crypto section of the JWT
Copyright © 2013 Twobo Technologies AB.
- 7. Basic Layout & Wire Format
Header
Key
Ciphertext
JWE
JWE = base64url(Header) + “.” +
base64url(Key) + “.” + base64url(Ciphertext)
Copyright © 2013 Twobo Technologies AB.
- 8. Overview of JWK
Array of public keys encoded as JSON objects
Intended for inclusion in JWS for signature
verification
Explicit support for Elliptic Curve and RSA keys
Copyright © 2013 Twobo Technologies AB.
- 9. JWK Example
{“keyvalues” : {“algorithm” : “RSA”,
[ “modulus” : “…”,
{“algorithm” : “EC”, “exponent” : “…”,
“curve” : “P-256”, “keyid” : “…”}
]
“x” : “…”,
}
“y” : “…”,
“use” : “encryption”,
“keyid” : “1”},
Copyright © 2013 Twobo Technologies AB.
- 10. Overview of JWS
Header input is JWT header
Payload input is JWT claims
Output is appended to JWT inputs & (optionally)
points to the JWK that was used
Supports symmetric & asymmetric signing
algorithms
HMAC SHA RSA SHA
ECDSA w/ curve P & SHA
Copyright © 2013 Twobo Technologies AB.
- 11. Basic Layout & Wire Format
Header
Payload
JWS
JWS = base64url(sig(base64url(Header) + “.” +
base64url(Payload)))
Copyright © 2013 Twobo Technologies AB.
- 12. Questions & Thanks
@2botech
@travisspencer
www.2botech.com
www.travisspencer.com
Copyright © 2013 Twobo Technologies AB.
Editor's Notes
- Crypto = Signature & Ciphertext