Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JWT Boot Camp 2020
Search
ritou
May 22, 2020
Technology
1
7.1k
JWT Boot Camp 2020
チーム内勉強会のために作成したJSON Web Tokenについての資料です。
ritou
May 22, 2020
Tweet
Share
More Decks by ritou
See All by ritou
OIDF-J EIWG 振り返り
ritou
2
11
そのQRコード、安全ですか? / Cross Device Flow
ritou
4
310
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
ritou
2
410
Passkeys and Identity Federation @ OpenID Summit Tokyo 2024
ritou
2
640
Webアプリ開発者向け パスキー対応の始め方
ritou
4
5.9k
様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023
ritou
3
4.4k
パスキーはユーザー認証を どう変えるのか?その特徴と導入における課題 @ devsumi 2023 9-C-1
ritou
6
12k
Android/Chromeで体験できる 認証のための標準化仕様の 現在と未来 @ DroidKaigi 2022
ritou
2
6.6k
C向けサービスで 使われている認証方式と安全な使い方
ritou
12
2.9k
Other Decks in Technology
See All in Technology
Vespaを利用したテクいベクトル検索
szdr
3
250
Unlearn Modularity
lemiorhan
6
280
多数のWebサービスをECS/Fargate構成で効率よく構築・運用するなら copilot-cli
interu
2
160
Transforming Event Attendees into Lifelong Donors: Insights from Claire Axelrad
auctria
PRO
1
110
Covariance, Contravariance & Diamond
alexdaubois
1
110
地域DXにおけるGrafana活用事例
wacky
0
370
XSS攻撃から考察するAWS設定不備の恐怖/20241012 Hironobu Otaki
shift_evolve
0
110
RDS for Db2 データ移行編 - Part2:S3経由のバックアップ・リストアでデータ移行 /20241011-RDSforDb2-dojo
mayumihirano
0
140
なぜ Rack を理解すべきかプレトーク / Why should you understand Rack - Pre-talk
hogelog
0
220
Oracle Cloud Infrastructure:2024年10月度サービス・アップデート
oracle4engineer
PRO
0
140
SOLID - Architecture and Architectural Decisions - Devfest Goa 2024
rivuchk
0
150
寒冷地稲作の歴史にみるコミュニティ
miu_crescent
2
130
Featured
See All Featured
Making the Leap to Tech Lead
cromwellryan
131
8.9k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
How to train your dragon (web standard)
notwaldorf
87
5.6k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
10 Git Anti Patterns You Should be Aware of
lemiorhan
653
59k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
Visualization
eitanlees
143
15k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.8k
Pencils Down: Stop Designing & Start Developing
hursman
119
11k
GraphQLの誤解/rethinking-graphql
sonatard
65
9.9k
Transcript
JSON Web Token boot camp 2020 ryo.ito (@ritou)
͜ͷࢿྉ͕ΉGOAL JSON Web TokenͱͲΜͳͷ͔Λཧղ͢Δ ৭ʑͳαʔϏεɺγεςϜͰΘΕ͍ͯΔJSON Web SignatureͷΈʹ͍ͭͯཧղ͢Δ Ϣʔεέʔεͱઃܭ/࣮ͷϙΠϯτΛཧ͠ɺۀͰ ҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ
JSON Web Token֓ཁ
3'$+40/8FC5PLFO +85 “JSON Web Token (JWT) is a compact, URL-
safe means of representing claims to be transferred between two parties.”
JSON Web Tokenͱ ͍ΖΜͳσʔλ(ߏԽ͞ΕͨͷόΠφϦ·Ͱ)Λ ෳͷαʔϏεɺγεςϜؒͰΓͱΓ͢ΔͨΊʹ URLηʔϑͳจࣈྻʹΤϯίʔυ͢ΔΈ͘͠ Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺΕ͍ͯΔ ॺ໊Λ͚ͭͨΓ(JSON Web Signature,
JWS)ɺ҉߸ ԽͰ͖Δ(JSON Web Encryption, JWE)
JWTੜͷ͖͔͚ͬ OpenIDϑΝϯσʔγϣϯʹΑΔOpenID Connectͷ༷ ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹ༷ͯࡦఆ։࢝ ϢʔβʔใɺೝূΠϕϯτใͷड͚͠ʹར༻ SAMLͰΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ Γ༰қʹ࣮Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ ςΟτʔΫϯΛࢦͨ͠ ͦΕͰ·༷ͩͷҰ෦͔͠ΘΕ͍ͯͳ͍
Ϣʔεέʔε ൃߦऀ/ड৴ऀʹ ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷηογϣϯCookie ϩάΠϯதͷϢʔβʔใΛ֨ೲ HTTP Responseͱͯ͠ൃߦɺWebϒϥβ͕อ ࣋ɺHTTP Requestͱͯ͠ड৴
Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ ηογϣϯʹඥͮ͘(ηογϣϯIDͷϋογϡͳ Ͳ)Λ֨ೲ HTMLϑΥʔϜʹࢦఆɺPOSTσʔλͱͯ͠ड৴
Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ APIΞΫηεʹඞཁͳϢʔβʔใͳͲΛ֨ೲ ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ ʹ༩ͯ͠APIαʔόʔ͕ड৴
Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ 3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴ ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔใͷୡ ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴
ϝϦοτ/σϝϦοτ ϝϦοτ ॊೈͳσʔλߏΛΓͱΓՄೳ ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ͚ͭΒΕΔ σϝϦοτ ҉߸ԽͰͳ͍ͷͰதΛ͚Δ ֨ೲ͢ΔใʹΑͬͯσʔλαΠζ͕૿େ
ීٴ͍ͯ͠Δཧ༝ ༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦॆ࣮ ඪ४ԽϓϩτίϧͰͷ࠾༻࣮ ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ ཱ֬͞ΕͨϕετϓϥΫςΟε RFC8725 JSON Web Token BCP
JWT vs Cookie? SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ +APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͋͘·
ͰΤϯίʔυํ๏ͳͷͰ͕·ͱ·Βͳ͍ แܕ vs ηογϣϯID͘͠จࣈྻ + HTTP CookieͷଐੑͱͷൺֱͳͲཧ͕ඞཁ
JWT = εςʔτϨε? JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͍ͬͨͳ͍ ใΛแ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ রͷͨΊͷΩʔΛ࣋ͬͯྑ͍ σʔλετΞͱͷΈ߹ΘͤΛߟྀ͢Δͱ෯͍ Ϣʔεέʔεʹద༻Մೳ
༷ղઆ
RFCs (7515 ~ 7519) αʔϏεɺγεςϜؒͷΓͱΓʹඞཁͳϝλσʔλʁ -> RFC7519 JSON Web Token
ॺ໊ؔ࿈(ੜɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON Web Signature ҉߸Խ -> RFC7516 JSON Web Encryption ҉߸Խॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms
RFC7515 JSON Web Signature
ͱ͋Δจࣈྻ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ 4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ࢲʹ͜͏ݟ͑·͢ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
͜ͷจࣈྻͷਖ਼ମ RFC7515 JSON Web Signature JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ
γϦΞϥΠζܗࣜ ෳͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ ͍͏ͷ͋Δ͕ΘΕ͍ͯΔͷݟ͔͚ͳ͍
Header eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
header
Header Base64 URL Encode͞ΕͨJWS Header {\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"} JWSࣗମͷछྨॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ
{“͔Β࢝·Δ෦͕eyJͱͳΔ
Payload eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
payload
Payload Base64 URL Encode͞ΕͨJWS Payload {\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http:// example.com/is_root\":true} PayloadJSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ
ϨʔϜ(ύϥϝʔλ)ͷ͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ
Signature eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
signature
Signature Base64 URL Encode͞ΕͨJWS Signature Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠ͷ
ΛBase Stringͱͯ͠ར༻(໘ͳਖ਼نԽෆཁ) ͜ͷΛੜ͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ
RFC7519 JSON Web Token
JWTΫϨʔϜ ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ “jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻. “iss” : ൃߦऀͷࣝผࢠ.υϝΠϯαʔϏεࣝผࢠ. “sub” :
JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ. “aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ
JWTΫϨʔϜ ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ “iat” : ൃߦ࣌ “exp” : ༗ޮظݶ “nbf” :
༗ޮظݶͷ։࢝࣌
JWTΫϨʔϜͷྫ (OIDC)
JWTΫϨʔϜ શͯར༻ඞਢͰͳ͍ : ίϯςΩετʹΑͬͯબ ϥΠϒϥϦʹΑͬͯݕূػೳΛ͍࣋ͬͯΔͷ ݕূͷཻͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝඞཁ
RFC7518 JSON Web Algorithms
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA ϋογϡؔ + ڞ༗伴Ͱॺ໊Λੜ ൃߦɺݕূ͕ಉҰͷ߹ͳͲͰར༻
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA RSAॺ໊ ൿີ伴Ͱॺ໊ੜɺެ։伴Ͱݕূ RS256͕Α͘ΘΕ͍ͯΔ͕…
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA ପԁۂઢॺ໊ ൿີ伴Ͱॺ໊ੜɺެ։伴Ͱݕূ ࠷ۙͷϓϩτίϧͰESܥ͕ਓؾ
ΞϧΰϦζϜͷ͍͚ ൃߦ/ड৴͕ಉҰ : HSXXX ڞ༗ൿີ伴Λ҆શʹཧ͢Δ ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX
ൃߦଆ͕ड৴ଆʹެ։伴Λ͢ ߹ʹΑ͓ͬͯޓ͍ʹެ։伴Λ͠߹͏
RFC7517 JSON Web Key
伴ʹؔ͢Δ༷ 伴ͷදݱ 伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴 伴ͷηοτͷදݱ ϩʔςʔγϣϯ αϙʔτ͢ΔΞϧΰϦζϜͷมߋ
伴දݱͷͨΊͷύϥϝʔλ “kty” : 伴ͷछྨ “RSA”, “EC”, “oct” “use” : “sig”
“key_ops” : “sign”, “verify” “alg” : “RS256”, … , “PS256”, … , “ES256”, … “kid” : 伴ͷࣝผࢠ “x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈
伴ͷදݱ : ରশ伴
伴ͷදݱ : ൿີ伴(RSA)
伴ͷදݱ : ެ։伴(RSA)
伴ͷදݱ : ެ։伴(ପԁۂઢ)
伴ηοτͷදݱ (Google)
Ϣʔεέʔε ༗ޮͳެ։伴ใΛެ։ jwks_url : JSON ܗࣜͰ伴ใͷηοτΛฦ͢ ઃఆϑΝΠϧͰͷอ࣋ ൿີ伴
JWT(JWS)࣮ͷϙΠϯτ
RFC8725 JSON Web Token BCP https://qiita.com/ritou/items/71e58fbc0c5605ec61cb
JSON Web SignatureΛ؆୯͔ͭ҆શʹ ͏ͨΊͷkid/typύϥϝʔλͷ͍ํ https://ritou.hatenablog.com/entry/2020/03/31/142550
JWT(JWS)Λ҆શʹ͏ͨΊ ͷϙΠϯτ PayloadʹؚΉใΛΑ͘ݕ౼͢Δ ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ෳͷJWT(JWS)Λར༻͢Δࡍ༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ
JWT(JWS)Λ҆શʹ͏ͨΊ ͷϙΠϯτ PayloadʹؚΉใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ) ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻) ෳͷJWT(JWS)Λར༻͢Δࡍ༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ
PayloadʹؚΉใΛΑ͘ݕ ౼͢Δ ࣗॗ
ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷΛͲ͔͜ΒҾ͔͘ HeaderͷalgύϥϝʔλͷΛૉʹ͏ͱ߈ܸΛड͚ΔڪΕ noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ RS256 -> HS256 Ͱެ։伴ͷϋογϡΛࢦఆ͞ΕͨΓ ཧ͍ͯ͠Δ伴ʹඥͮ͘Λར༻͠ɺHeaderͷͦͷͱ ͷൺֱʹཹΊΔ
༻్ͱॺ໊ݕূʹ ༻్ͷදݱͱࢦఆ ॺ໊ੜɺݕূ༻ͷ伴ͷཧ ্هͷݕূ
༻్ͷදݱͱࢦఆ ͑Δύϥϝʔλෳ͋Δ Header “typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴ཧͱ “kid” ύϥϝʔλ
: ༻్͝ͱʹ伴ࣗମΛ͚Δ Payload ಠࣗΫϨʔϜ : “usage” ͳͲ
༻్ͷදݱͱࢦఆ ͲΕΛ͏͔ॊೈʹஅ͖͢ ػೳ୯ҐͰ伴Λ͚ΒΕΔ : Header “kid” 伴पΓ͍͡Εͳ͍͕Header͍͡ΕΔ : Header “typ”
伴पΓHeader͍͡Εͳ͍ : ಠࣗΫϨʔϜ
“kid” Λ༻͍ͨ༻్ͷཧ ༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻ ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ ਓ͕ؒΘ͔Γ͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ ྻͱ͔ͱ͔)” ͱ͍͏idʹ͢Δ
“typ” Λ༻͍ͨ༻్ͷཧ ॺ໊ݕূલʹఆͰ͖Δ ϥΠϒϥϦʹΑͬͯࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯࣗ ಈͰݕূͰ͖ͳ͍ͷ͋ΔͷͰҙ
ಠࣗΫϨʔϜͷར༻ ॺ໊ݕূޙͷఆͱͳΔ ࢦఆɺݕূͱʹಠࣗͷ࣮ͱͳΔ
JWSੜɺݕূσϞʢΔ࣌ؒͳͦ͞͏ʣ
త ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ ॺ໊ੜ/ݕূΛମݧ ࣮ͰϥΠϒϥϦΛ͏͜ͱΛ͓קΊ͠·͢ɻ
ඞཁͳػೳ ͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ߹͋ Γ·͢ɻ Base64 URL Encode / Decode (Paddingͳ͠)
JSON Encode / Decode HMAC-SHA256
JWTੜͷྲྀΕ 1. HeaderΛੜ 2. PayloadΛੜ 3. SignatureΛੜ 4. ࿈݁ͯ͠
(1) Header ར༻͢ΔHeaderύϥϝʔλ “typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ “alg” :
“HS256” # HMAC-SHA256 ར༻Λએݴ “kid” : “handson01” # 伴ཧΛҙࣝ͢ΔͨΊʹར༻
(1) Header 1. JSON Encode “{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\": \"handson+JWT\"}” 2. Base64 URL
Encode “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0”
(2) Payload ૹΓ͍ͨσʔλ “Foo”:”Bar” “Hoge”:”Fuga”
(2) Payload 1. JSON Encode "{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}" 2. Base64 URL Encode
“eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"
(3) Signature 1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”
(3) Signature 2. Base StringΛHMAC-SHA256ͨ͠ΛBase64 URL Encode 伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
“Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM”
(4) Base StringͱSignatureͷΛ“.”Ͱ࿈݁͢Δͱ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV MwH6iaLoOpxEZf3KcVM”
JWTݕূͷྲྀΕ 1. HeaderΛݕূ 2. SignatureΛݕূ 3. (PayloadΛݕূ)
(1) Header Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ “typ” :
“handson+JWT” # ظ͢ΔͱҰக͢Δ? “kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴? “alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ க͢Δ?
(2) Signature ੜͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”
(2) Signature 2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ HMAC-SHA256ͨ͠ΛBase64 URL Encodeͯ͠ൺֱ 伴 :
“THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON” “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM” ※ެ։伴҉߸Λར༻͢Δ߹ॺ໊ݕূ༻ͷؔΛར༻
(3) Payload ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒPayloadΛݕূ (ࠓճRFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)
https://jwt.io/ ͰݕূՄೳ