JWT/Documentation : Différence entre versions

De WikiSys
< JWT
Aller à : navigation, rechercher
(Wikipédia)
 
Ligne 17 : Ligne 17 :
 
  eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ildpa2lwZWRpYSIsImlhdCI6MTUxNjIzOTAyMn0.
 
  eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ildpa2lwZWRpYSIsImlhdCI6MTUxNjIzOTAyMn0.
 
  MUv0E0-ot6H--Z_76v7r-PFsbAgPdPLWIl0KDh4O0Kg_LhnNkQebfHbq8x0VtdZ_JUIaExblRzGCLPgpfIzpeA
 
  MUv0E0-ot6H--Z_76v7r-PFsbAgPdPLWIl0KDh4O0Kg_LhnNkQebfHbq8x0VtdZ_JUIaExblRzGCLPgpfIzpeA
 +
 +
== Easy Angular Authentication with JSON Web Tokens  ==
 +
* http://blog.angularjs.org/2016/11/easy-angular-authentication-with-json.html
 +
 +
== Angular Security - Authentication With JSON Web Tokens (JWT): The Complete Guide ==
 +
* https://blog.angular-university.io/angular-jwt-authentication/
  
 
== RFC 7519  Standards Track ==
 
== RFC 7519  Standards Track ==

Version actuelle en date du 16 juillet 2019 à 18:27

Wikipédia

Pour obtenir la signature, il faut tout d'abord encoder séparément l'en-tête et la charge utile avec Base64url défini dans la RFC 4648.

Ensuite, on les concatène en les séparant avec un point.

On obtient la signature de ce résultat avec l'algorithme choisi.

Cette signature est ajoutée au résultat de la même manière (encodée et séparée par un point).

en-tete 
{"typ": "jwt", "alg": "HS512"}
charge utile 
{"name":"Wikipedia","iat":1525777938}
token=
eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ildpa2lwZWRpYSIsImlhdCI6MTUxNjIzOTAyMn0.
MUv0E0-ot6H--Z_76v7r-PFsbAgPdPLWIl0KDh4O0Kg_LhnNkQebfHbq8x0VtdZ_JUIaExblRzGCLPgpfIzpeA

Easy Angular Authentication with JSON Web Tokens

Angular Security - Authentication With JSON Web Tokens (JWT): The Complete Guide

RFC 7519 Standards Track

      4.1.1.  "iss" (Issuer) Claim  . . . . . . . . . . . . . . . .   9
      4.1.2.  "sub" (Subject) Claim . . . . . . . . . . . . . . . .   9
      4.1.3.  "aud" (Audience) Claim  . . . . . . . . . . . . . . .   9
      4.1.4.  "exp" (Expiration Time) Claim . . . . . . . . . . . .   9
      4.1.5.  "nbf" (Not Before) Claim  . . . . . . . . . . . . . .  10
      4.1.6.  "iat" (Issued At) Claim . . . . . . . . . . . . . . .  10
      4.1.7.  "jti" (JWT ID) Claim  . . . . . . . . . . . . . . . .  10

joshmorony.com

  • A JWT is a string that contains an encoded header, payload, and a verification signature
  • They are in the format of [header].[payload].[signature]
  • The header and payload can be easily decoded and viewed by anybody who has access to the token
  • The verification signature can be used to ensure the header and payload have not been changed
  • They are useful for authorisation, as we can identify a user by the token they possess

The important part about JSON Web Tokens for the context we will be using them in, is that once they are created they can not be changed by anybody who doesn’t know the private key or secret used to hash the verification signature.

So if we give a JWT to somebody to identify them, we can be sure that it is them.


auth0.com

Api authentification

What is the JWT ?


JSON Web Token (JWT), pronounced "jot", is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

  • Compact: Because of its relatively small size, a JWT can be sent through a URL, through a POST parameter, or inside an HTTP header, and it is transmitted quickly.
  • Self-contained: A JWT contains all the required information about an entity to avoid querying a database more than once. The recipient of a JWT also does not need to call a server to validate the token.

The information contained within the JSON object can be verified and trusted because it is digitally signed. Although JWTs can also be encrypted to provide secrecy between parties, we will focus on signed tokens, which can verify the integrity of the claims contained within them, while encrypted tokens hide those claims from other parties.

JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.

Critical vulnerabilities in JSON Web Token libraries