json web token

JSON WEB TOKEN

Deddy Setyadi

It ships information that can be verifiedand trustedwith a digital signature

JWT ?

http://searchsecurity.techtarget.com/definition/digital-signature

Stateless JWT allow the server to verify the information contained in the JWT without necessarily storing state on the server.

http://secure.indas.on.ca

http://softwareengineering.stackexchange.com/a/101338

http://softwareengineering.stackexchange.com/a/101338

http://www.slideshare.net/liuggio/json-web-token-api-authorization

NO NEED PROTECT AGAINST CSRF

https://www.incapsula.com/web-application-security/csrf-cross-site-request-forgery.html

AVOID Man-in-the-middle

https://blog.digicert.com/thwarting-man-middle/

JSON WEB TOKEN

https://scotch.io/tutorials/the-anatomy-of-a-json-web-token

Header{

"typ": "JWT",

"alg": "HS256"

}

PARTS OF The header :

● declaring the type, which is JWT

● the hashing algorithm to use

Common JWT Signing AlgorithmsHS256 HMAC using SHA-256

RS256 RSASSA-PKCS1-v1_5 using SHA-256

ES256 ECDSA using P-256 and SHA-256

https://tools.ietf.org/html/rfc7518#section-3

PayloadCarry the information that we want to transmit, also called

the JWT Claims.

{

"iss": "scotch.io",

"exp": 1300819380,

"name": "Chris Sevilleja",

"admin": true

}

ReSERVED Claims� iss

The issuer of the token.

� subThe subject of the token.

� aud

The audience of the token.

� exp

This will define the expiration.

� nbfthe time before which the JWT MUST NOT be accepted.

� iatThe time the JWT was issued.

� jti

Unique identifier for the JWT.https://tools.ietf.org/html/rfc7518#section-3

SignatureMade up of a hash of the following components:● the header● the payload● secret

var encodedString =

base64UrlEncode(header) + "." +

base64UrlEncode(payload);

HMACSHA256(encodedString,'secret');

Full JSON of JWTeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.

eyJpc3MiOiJzY290Y2guaW8iLCJleHAiOjEz

MDA4MTkzODAsIm5hbWUiOiJDaHJpcyB

TZXZpbGxlamEiLCJhZG1pbiI6dHJ1ZX0.

03f329983b86f7d9a9f5fef85305880101d5e302

afafa20154d094b229f757

HEADER

CLAIMS

SIGNATURE

References

● http://www.slideshare.net/liuggio/json-web-token-api-a

uthorization

● https://scotch.io/tutorials/the-anatomy-of-a-json-web-t

oken

● https://auth0.com/blog/json-web-token-signing-algorit

hms-overview/

● http://jwt.io

● https://blog.digicert.com/thwarting-man-middle/

● https://www.incapsula.com/web-application-security/cs

rf-cross-site-request-forgery.html







https://auth0.com/blog/json-web-token-signing-algorithms-overview/



http://jwt.io

http://jwt.io






json web token

Technology