JWT

From MgmtWiki
Jump to: navigation, search

Full Title

JSON Web Token (JWT) -- pronounced "JOOT" as though it were Welsh.

Context

  • In OAuth 2.0 and other specs from the Open ID Foundation, there was a need for a small packed of identity information that could be coded and include in an HTTP header.
  • Since that humble beginning the JWT format has been extended in scope and more typically is delivered in the body of a post message which gets around the size limit experienced in an HTTP header.

Problems

  • The existing specs at the time the JWT was created were XML and SAML which were very wordy and not amenable to coding in an HTTP header.
  • Even now some JWT are too large for inclusion in a HTTP header.

Solutions

  • The RFC 7519 definition of the JSON Web Token (JWT). The abstract from the spec
    JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
  • Justin Richer has some suggestions.[1]

References

  1. Justin Richer, Moving On from OAuth 2: A Proposal. https://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade

Other reference material

  1. JWT: The Complete Guide to JSON Web Tokens from the folks that brought you angular.
  2. JWT.IO] allows you to decode, verify and generate JWT.
  3. RFC 7515 JSON Web Signature (JWS)
    represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.
  4. RFC 7516 Json Web Encryption (JWE)
    represents encrypted content using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries defined by that specification. Related digital signature and Message Authentication Code (MAC) capabilities are described in the separate JSON Web Signature (JWS) specification
  5. RFC 7517 JSON Web Key (JWK)
    a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification
  6. RFC 7518 JSON Web Algorithms (JWA)
    registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.
  7. RFC 6749 The OAuth 2.0 Authorization Framework specification
  8. RFC 8252 OAuth 2.0 for Native Apps Specification