Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JWT Boot Camp 2020
Search
ritou
May 22, 2020
Technology
4
7.7k
JWT Boot Camp 2020
チーム内勉強会のために作成したJSON Web Tokenについての資料です。
ritou
May 22, 2020
Tweet
Share
More Decks by ritou
See All by ritou
“パスワードレス認証への道" ユーザー認証の変遷とパスキーの関係
ritou
2
4.8k
パスキー導入の課題と ベストプラクティス、今後の展望
ritou
12
5.8k
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 + α
ritou
1
120
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 @ AXIES 2024
ritou
4
1.7k
OIDF-J EIWG 振り返り
ritou
2
69
そのQRコード、安全ですか? / Cross Device Flow
ritou
4
600
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
ritou
3
690
Passkeys and Identity Federation @ OpenID Summit Tokyo 2024
ritou
2
870
Webアプリ開発者向け パスキー対応の始め方
ritou
4
6.7k
Other Decks in Technology
See All in Technology
Behind Postgres 18: The People, the Code, & the Invisible Work | Claire Giordano | PGConfEU 2025
clairegiordano
0
110
現場データから見える、開発生産性の変化コード生成AI導入・運用のリアル〜 / Changes in Development Productivity and Operational Challenges Following the Introduction of Code Generation AI
nttcom
1
460
AI駆動で進める依存ライブラリ更新 ─ Vue プロジェクトの品質向上と開発スピード改善の実践録
sayn0
1
270
Contract One Engineering Unit 紹介資料
sansan33
PRO
0
9k
ゼロコード計装導入後のカスタム計装でさらに可観測性を高めよう
sansantech
PRO
1
260
「最速」で Gemini CLI を使いこなそう! 〜Cloud Shell/Cloud Run の活用〜 / The Fastest Way to Master the Gemini CLI — with Cloud Shell and Cloud Run
aoto
PRO
1
170
だいたい分かった気になる 『SREの知識地図』 / introduction-to-sre-knowledge-map-book
katsuhisa91
PRO
3
1.4k
Biz職でもDifyでできる! 「触らないAIワークフロー」を実現する方法
igarashikana
7
3.2k
入院医療費算定業務をAIで支援する:包括医療費支払い制度とDPCコーディング (公開版)
hagino3000
0
110
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
12
81k
デザインとエンジニアリングの架け橋を目指す OPTiMのデザインシステム「nucleus」の軌跡と広げ方
optim
0
100
Dylib Hijacking on macOS: Dead or Alive?
patrickwardle
0
460
Featured
See All Featured
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
253
22k
GraphQLの誤解/rethinking-graphql
sonatard
73
11k
Git: the NoSQL Database
bkeepers
PRO
431
66k
The Straight Up "How To Draw Better" Workshop
denniskardys
238
140k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
37
2.6k
Being A Developer After 40
akosma
91
590k
Facilitating Awesome Meetings
lara
57
6.6k
It's Worth the Effort
3n
187
28k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
34
2.3k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
A Modern Web Designer's Workflow
chriscoyier
697
190k
Transcript
JSON Web Token boot camp 2020 ryo.ito (@ritou)
͜ͷࢿྉ͕ΉGOAL JSON Web TokenͱͲΜͳͷ͔Λཧղ͢Δ ৭ʑͳαʔϏεɺγεςϜͰΘΕ͍ͯΔJSON Web SignatureͷΈʹ͍ͭͯཧղ͢Δ Ϣʔεέʔεͱઃܭ/࣮ͷϙΠϯτΛཧ͠ɺۀͰ ҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ
JSON Web Token֓ཁ
3'$+40/8FC5PLFO +85 “JSON Web Token (JWT) is a compact, URL-
safe means of representing claims to be transferred between two parties.”
JSON Web Tokenͱ ͍ΖΜͳσʔλ(ߏԽ͞ΕͨͷόΠφϦ·Ͱ)Λ ෳͷαʔϏεɺγεςϜؒͰΓͱΓ͢ΔͨΊʹ URLηʔϑͳจࣈྻʹΤϯίʔυ͢ΔΈ͘͠ Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺΕ͍ͯΔ ॺ໊Λ͚ͭͨΓ(JSON Web Signature,
JWS)ɺ҉߸ ԽͰ͖Δ(JSON Web Encryption, JWE)
JWTੜͷ͖͔͚ͬ OpenIDϑΝϯσʔγϣϯʹΑΔOpenID Connectͷ༷ ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹ༷ͯࡦఆ։࢝ ϢʔβʔใɺೝূΠϕϯτใͷड͚͠ʹར༻ SAMLͰΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ Γ༰қʹ࣮Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ ςΟτʔΫϯΛࢦͨ͠ ͦΕͰ·༷ͩͷҰ෦͔͠ΘΕ͍ͯͳ͍
Ϣʔεέʔε ൃߦऀ/ड৴ऀʹ ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷηογϣϯCookie ϩάΠϯதͷϢʔβʔใΛ֨ೲ HTTP Responseͱͯ͠ൃߦɺWebϒϥβ͕อ ࣋ɺHTTP Requestͱͯ͠ड৴
Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ ηογϣϯʹඥͮ͘(ηογϣϯIDͷϋογϡͳ Ͳ)Λ֨ೲ HTMLϑΥʔϜʹࢦఆɺPOSTσʔλͱͯ͠ड৴
Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ APIΞΫηεʹඞཁͳϢʔβʔใͳͲΛ֨ೲ ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ ʹ༩ͯ͠APIαʔόʔ͕ड৴
Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ 3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴ ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔใͷୡ ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴
ϝϦοτ/σϝϦοτ ϝϦοτ ॊೈͳσʔλߏΛΓͱΓՄೳ ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ͚ͭΒΕΔ σϝϦοτ ҉߸ԽͰͳ͍ͷͰதΛ͚Δ ֨ೲ͢ΔใʹΑͬͯσʔλαΠζ͕૿େ
ීٴ͍ͯ͠Δཧ༝ ༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦॆ࣮ ඪ४ԽϓϩτίϧͰͷ࠾༻࣮ ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ ཱ֬͞ΕͨϕετϓϥΫςΟε RFC8725 JSON Web Token BCP
JWT vs Cookie? SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ +APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͋͘·
ͰΤϯίʔυํ๏ͳͷͰ͕·ͱ·Βͳ͍ แܕ vs ηογϣϯID͘͠จࣈྻ + HTTP CookieͷଐੑͱͷൺֱͳͲཧ͕ඞཁ
JWT = εςʔτϨε? JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͍ͬͨͳ͍ ใΛแ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ রͷͨΊͷΩʔΛ࣋ͬͯྑ͍ σʔλετΞͱͷΈ߹ΘͤΛߟྀ͢Δͱ෯͍ Ϣʔεέʔεʹద༻Մೳ
༷ղઆ
RFCs (7515 ~ 7519) αʔϏεɺγεςϜؒͷΓͱΓʹඞཁͳϝλσʔλʁ -> RFC7519 JSON Web Token
ॺ໊ؔ࿈(ੜɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON Web Signature ҉߸Խ -> RFC7516 JSON Web Encryption ҉߸Խॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms
RFC7515 JSON Web Signature
ͱ͋Δจࣈྻ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ 4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ࢲʹ͜͏ݟ͑·͢ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
͜ͷจࣈྻͷਖ਼ମ RFC7515 JSON Web Signature JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ
γϦΞϥΠζܗࣜ ෳͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ ͍͏ͷ͋Δ͕ΘΕ͍ͯΔͷݟ͔͚ͳ͍
Header eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
header
Header Base64 URL Encode͞ΕͨJWS Header {\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"} JWSࣗମͷछྨॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ
{“͔Β࢝·Δ෦͕eyJͱͳΔ
Payload eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
payload
Payload Base64 URL Encode͞ΕͨJWS Payload {\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http:// example.com/is_root\":true} PayloadJSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ
ϨʔϜ(ύϥϝʔλ)ͷ͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ
Signature eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
signature
Signature Base64 URL Encode͞ΕͨJWS Signature Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠ͷ
ΛBase Stringͱͯ͠ར༻(໘ͳਖ਼نԽෆཁ) ͜ͷΛੜ͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ
RFC7519 JSON Web Token
JWTΫϨʔϜ ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ “jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻. “iss” : ൃߦऀͷࣝผࢠ.υϝΠϯαʔϏεࣝผࢠ. “sub” :
JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ. “aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ
JWTΫϨʔϜ ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ “iat” : ൃߦ࣌ “exp” : ༗ޮظݶ “nbf” :
༗ޮظݶͷ։࢝࣌
JWTΫϨʔϜͷྫ (OIDC)
JWTΫϨʔϜ શͯར༻ඞਢͰͳ͍ : ίϯςΩετʹΑͬͯબ ϥΠϒϥϦʹΑͬͯݕূػೳΛ͍࣋ͬͯΔͷ ݕূͷཻͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝඞཁ
RFC7518 JSON Web Algorithms
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA ϋογϡؔ + ڞ༗伴Ͱॺ໊Λੜ ൃߦɺݕূ͕ಉҰͷ߹ͳͲͰར༻
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA RSAॺ໊ ൿີ伴Ͱॺ໊ੜɺެ։伴Ͱݕূ RS256͕Α͘ΘΕ͍ͯΔ͕…
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA ପԁۂઢॺ໊ ൿີ伴Ͱॺ໊ੜɺެ։伴Ͱݕূ ࠷ۙͷϓϩτίϧͰESܥ͕ਓؾ
ΞϧΰϦζϜͷ͍͚ ൃߦ/ड৴͕ಉҰ : HSXXX ڞ༗ൿີ伴Λ҆શʹཧ͢Δ ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX
ൃߦଆ͕ड৴ଆʹެ։伴Λ͢ ߹ʹΑ͓ͬͯޓ͍ʹެ։伴Λ͠߹͏
RFC7517 JSON Web Key
伴ʹؔ͢Δ༷ 伴ͷදݱ 伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴 伴ͷηοτͷදݱ ϩʔςʔγϣϯ αϙʔτ͢ΔΞϧΰϦζϜͷมߋ
伴දݱͷͨΊͷύϥϝʔλ “kty” : 伴ͷछྨ “RSA”, “EC”, “oct” “use” : “sig”
“key_ops” : “sign”, “verify” “alg” : “RS256”, … , “PS256”, … , “ES256”, … “kid” : 伴ͷࣝผࢠ “x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈
伴ͷදݱ : ରশ伴
伴ͷදݱ : ൿີ伴(RSA)
伴ͷදݱ : ެ։伴(RSA)
伴ͷදݱ : ެ։伴(ପԁۂઢ)
伴ηοτͷදݱ (Google)
Ϣʔεέʔε ༗ޮͳެ։伴ใΛެ։ jwks_url : JSON ܗࣜͰ伴ใͷηοτΛฦ͢ ઃఆϑΝΠϧͰͷอ࣋ ൿີ伴
JWT(JWS)࣮ͷϙΠϯτ
RFC8725 JSON Web Token BCP https://qiita.com/ritou/items/71e58fbc0c5605ec61cb
JSON Web SignatureΛ؆୯͔ͭ҆શʹ ͏ͨΊͷkid/typύϥϝʔλͷ͍ํ https://ritou.hatenablog.com/entry/2020/03/31/142550
JWT(JWS)Λ҆શʹ͏ͨΊ ͷϙΠϯτ PayloadʹؚΉใΛΑ͘ݕ౼͢Δ ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ෳͷJWT(JWS)Λར༻͢Δࡍ༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ
JWT(JWS)Λ҆શʹ͏ͨΊ ͷϙΠϯτ PayloadʹؚΉใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ) ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻) ෳͷJWT(JWS)Λར༻͢Δࡍ༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ
PayloadʹؚΉใΛΑ͘ݕ ౼͢Δ ࣗॗ
ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷΛͲ͔͜ΒҾ͔͘ HeaderͷalgύϥϝʔλͷΛૉʹ͏ͱ߈ܸΛड͚ΔڪΕ noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ RS256 -> HS256 Ͱެ։伴ͷϋογϡΛࢦఆ͞ΕͨΓ ཧ͍ͯ͠Δ伴ʹඥͮ͘Λར༻͠ɺHeaderͷͦͷͱ ͷൺֱʹཹΊΔ
༻్ͱॺ໊ݕূʹ ༻్ͷදݱͱࢦఆ ॺ໊ੜɺݕূ༻ͷ伴ͷཧ ্هͷݕূ
༻్ͷදݱͱࢦఆ ͑Δύϥϝʔλෳ͋Δ Header “typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴ཧͱ “kid” ύϥϝʔλ
: ༻్͝ͱʹ伴ࣗମΛ͚Δ Payload ಠࣗΫϨʔϜ : “usage” ͳͲ
༻్ͷදݱͱࢦఆ ͲΕΛ͏͔ॊೈʹஅ͖͢ ػೳ୯ҐͰ伴Λ͚ΒΕΔ : Header “kid” 伴पΓ͍͡Εͳ͍͕Header͍͡ΕΔ : Header “typ”
伴पΓHeader͍͡Εͳ͍ : ಠࣗΫϨʔϜ
“kid” Λ༻͍ͨ༻్ͷཧ ༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻ ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ ਓ͕ؒΘ͔Γ͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ ྻͱ͔ͱ͔)” ͱ͍͏idʹ͢Δ
“typ” Λ༻͍ͨ༻్ͷཧ ॺ໊ݕূલʹఆͰ͖Δ ϥΠϒϥϦʹΑͬͯࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯࣗ ಈͰݕূͰ͖ͳ͍ͷ͋ΔͷͰҙ
ಠࣗΫϨʔϜͷར༻ ॺ໊ݕূޙͷఆͱͳΔ ࢦఆɺݕূͱʹಠࣗͷ࣮ͱͳΔ
JWSੜɺݕূσϞʢΔ࣌ؒͳͦ͞͏ʣ
త ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ ॺ໊ੜ/ݕূΛମݧ ࣮ͰϥΠϒϥϦΛ͏͜ͱΛ͓קΊ͠·͢ɻ
ඞཁͳػೳ ͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ߹͋ Γ·͢ɻ Base64 URL Encode / Decode (Paddingͳ͠)
JSON Encode / Decode HMAC-SHA256
JWTੜͷྲྀΕ 1. HeaderΛੜ 2. PayloadΛੜ 3. SignatureΛੜ 4. ࿈݁ͯ͠
(1) Header ར༻͢ΔHeaderύϥϝʔλ “typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ “alg” :
“HS256” # HMAC-SHA256 ར༻Λએݴ “kid” : “handson01” # 伴ཧΛҙࣝ͢ΔͨΊʹར༻
(1) Header 1. JSON Encode “{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\": \"handson+JWT\"}” 2. Base64 URL
Encode “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0”
(2) Payload ૹΓ͍ͨσʔλ “Foo”:”Bar” “Hoge”:”Fuga”
(2) Payload 1. JSON Encode "{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}" 2. Base64 URL Encode
“eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"
(3) Signature 1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”
(3) Signature 2. Base StringΛHMAC-SHA256ͨ͠ΛBase64 URL Encode 伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
“Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM”
(4) Base StringͱSignatureͷΛ“.”Ͱ࿈݁͢Δͱ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV MwH6iaLoOpxEZf3KcVM”
JWTݕূͷྲྀΕ 1. HeaderΛݕূ 2. SignatureΛݕূ 3. (PayloadΛݕূ)
(1) Header Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ “typ” :
“handson+JWT” # ظ͢ΔͱҰக͢Δ? “kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴? “alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ க͢Δ?
(2) Signature ੜͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”
(2) Signature 2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ HMAC-SHA256ͨ͠ΛBase64 URL Encodeͯ͠ൺֱ 伴 :
“THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON” “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM” ※ެ։伴҉߸Λར༻͢Δ߹ॺ໊ݕূ༻ͷؔΛར༻
(3) Payload ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒPayloadΛݕূ (ࠓճRFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)
https://jwt.io/ ͰݕূՄೳ