Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JWT Boot Camp 2020
Search
ritou
May 22, 2020
Technology
1
7.4k
JWT Boot Camp 2020
チーム内勉強会のために作成したJSON Web Tokenについての資料です。
ritou
May 22, 2020
Tweet
Share
More Decks by ritou
See All by ritou
“パスワードレス認証への道" ユーザー認証の変遷とパスキーの関係
ritou
2
2k
パスキー導入の課題と ベストプラクティス、今後の展望
ritou
12
4.2k
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 + α
ritou
1
93
Password-less Journey - パスキーへの移行を見据えたユーザーの準備 @ AXIES 2024
ritou
4
1.7k
OIDF-J EIWG 振り返り
ritou
2
52
そのQRコード、安全ですか? / Cross Device Flow
ritou
4
530
MIXI Mと社内外のサービスを支える認証基盤を作るためにやってきたこと #MTDC2024
ritou
3
630
Passkeys and Identity Federation @ OpenID Summit Tokyo 2024
ritou
2
820
Webアプリ開発者向け パスキー対応の始め方
ritou
4
6.5k
Other Decks in Technology
See All in Technology
Snowflake Summit 2025全体振り返り / Snowflake Summit 2025 Overall Review
mtpooh
2
390
Model Mondays S2E02: Model Context Protocol
nitya
0
210
BigQuery Remote FunctionでLooker Studioをインタラクティブ化
cuebic9bic
3
260
Definition of Done
kawaguti
PRO
6
470
25分で解説する「最小権限の原則」を実現するための AWS「ポリシー」大全 / 20250625-aws-summit-aws-policy
opelab
9
1k
Amazon S3標準/ S3 Tables/S3 Express One Zoneを使ったログ分析
shigeruoda
3
450
CSS、JSをHTMLテンプレートにまとめるフロントエンド戦略
d120145
0
270
ひとり情シスなCTOがLLMと始めるオペレーション最適化 / CTO's LLM-Powered Ops
yamitzky
0
420
AWS CDK 実践的アプローチ N選 / aws-cdk-practical-approaches
gotok365
6
680
BrainPadプログラミングコンテスト記念LT会2025_社内イベント&問題解説
brainpadpr
1
160
監視のこれまでとこれから/sakura monitoring seminar 2025
fujiwara3
11
3.8k
20250625 Snowflake Summit 2025活用事例 レポート / Nowcast Snowflake Summit 2025 Case Study Report
kkuv
1
290
Featured
See All Featured
Rails Girls Zürich Keynote
gr2m
94
14k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Fireside Chat
paigeccino
37
3.5k
Done Done
chrislema
184
16k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
252
21k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.2k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
228
22k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
700
Why Our Code Smells
bkeepers
PRO
337
57k
Transcript
JSON Web Token boot camp 2020 ryo.ito (@ritou)
͜ͷࢿྉ͕ΉGOAL JSON Web TokenͱͲΜͳͷ͔Λཧղ͢Δ ৭ʑͳαʔϏεɺγεςϜͰΘΕ͍ͯΔJSON Web SignatureͷΈʹ͍ͭͯཧղ͢Δ Ϣʔεέʔεͱઃܭ/࣮ͷϙΠϯτΛཧ͠ɺۀͰ ҆શʹJWTΛѻ͑ΔΑ͏ʹͳΔ
JSON Web Token֓ཁ
3'$+40/8FC5PLFO +85 “JSON Web Token (JWT) is a compact, URL-
safe means of representing claims to be transferred between two parties.”
JSON Web Tokenͱ ͍ΖΜͳσʔλ(ߏԽ͞ΕͨͷόΠφϦ·Ͱ)Λ ෳͷαʔϏεɺγεςϜؒͰΓͱΓ͢ΔͨΊʹ URLηʔϑͳจࣈྻʹΤϯίʔυ͢ΔΈ͘͠ Τϯίʔυ͞Εͨจࣈྻࣗମ͕JWTͱݺΕ͍ͯΔ ॺ໊Λ͚ͭͨΓ(JSON Web Signature,
JWS)ɺ҉߸ ԽͰ͖Δ(JSON Web Encryption, JWE)
JWTੜͷ͖͔͚ͬ OpenIDϑΝϯσʔγϣϯʹΑΔOpenID Connectͷ༷ ࡦఆʹ߹ΘͤͯIETFͷJOSE WGʹ༷ͯࡦఆ։࢝ ϢʔβʔใɺೝূΠϕϯτใͷड͚͠ʹར༻ SAMLͰΘΕ͖ͯͨʮॊೈ͔ͭෳࡶͰ͋ΔXMLॺ໊ʯΑ Γ༰қʹ࣮Ͱ͖ɺίϯύΫτʹදݱͰ͖ΔηΩϡϦ ςΟτʔΫϯΛࢦͨ͠ ͦΕͰ·༷ͩͷҰ෦͔͠ΘΕ͍ͯͳ͍
Ϣʔεέʔε ൃߦऀ/ड৴ऀʹ ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ
Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷηογϣϯCookie ϩάΠϯதͷϢʔβʔใΛ֨ೲ HTTP Responseͱͯ͠ൃߦɺWebϒϥβ͕อ ࣋ɺHTTP Requestͱͯ͠ड৴
Ϣʔεέʔε: ୯ҰͷαʔϏεɺγεςϜ͕ൃߦˍड৴ WebΞϓϦέʔγϣϯͷCSRFରࡦτʔΫϯ ηογϣϯʹඥͮ͘(ηογϣϯIDͷϋογϡͳ Ͳ)Λ֨ೲ HTMLϑΥʔϜʹࢦఆɺPOSTσʔλͱͯ͠ड৴
Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢ΔࡍͷೝՄ༻τʔΫϯ APIΞΫηεʹඞཁͳϢʔβʔใͳͲΛ֨ೲ ೝূαʔόʔ͕ΫϥΠΞϯτʹൃߦɺAPIϦΫΤετ ʹ༩ͯ͠APIαʔόʔ͕ड৴
Ϣʔεέʔε: ൃߦͱड৴Λߦ͏αʔϏεɺγεςϜ͕ผ Web APIΛར༻͢Δࡍͷॺ໊͖ͭϦΫΤετ 3rdύʔςΟʔΞϓϦ͕ൃߦɺೝূαʔόʔ͕ड৴ ιʔγϟϧϩάΠϯʹ͓͚ΔϢʔβʔใͷୡ ೝূαʔόʔ͕ൃߦɺ3rdύʔςΟʔΞϓϦ͕ड৴
ϝϦοτ/σϝϦοτ ϝϦοτ ॊೈͳσʔλߏΛΓͱΓՄೳ ॺ໊ʹΑΔൃߦऀ/ड৴ऀͷݕূɺ༗ޮظݶ͚ͭΒΕΔ σϝϦοτ ҉߸ԽͰͳ͍ͷͰதΛ͚Δ ֨ೲ͢ΔใʹΑͬͯσʔλαΠζ͕૿େ
ීٴ͍ͯ͠Δཧ༝ ༷͕RFCԽ͞Ε͓ͯΓɺϥΠϒϥϦॆ࣮ ඪ४ԽϓϩτίϧͰͷ࠾༻࣮ ಠࣗͷॺ໊͖ͭΤϯίʔσΟϯά͔ΒͷҠߦͳͲ ཱ֬͞ΕͨϕετϓϥΫςΟε RFC8725 JSON Web Token BCP
JWT vs Cookie? SPAͷจ຺ͰJWT = WebStorageʹτʔΫϯอଘ +APIϦΫΤετͱ͍͏ղऍ͕͞Ε͍ͯΔ ηογϣϯID + Cookieͱൺֱ͞ΕΔ͕JWT͋͘·
ͰΤϯίʔυํ๏ͳͷͰ͕·ͱ·Βͳ͍ แܕ vs ηογϣϯID͘͠จࣈྻ + HTTP CookieͷଐੑͱͷൺֱͳͲཧ͕ඞཁ
JWT = εςʔτϨε? JWT=εςʔτϨεͱ͍͏ݻఆ؍೦͍ͬͨͳ͍ ใΛแ “Ͱ͖Δ” ಛੑΛ͍࣋ͬͯΔ͕ɺͦΕʹࢀ রͷͨΊͷΩʔΛ࣋ͬͯྑ͍ σʔλετΞͱͷΈ߹ΘͤΛߟྀ͢Δͱ෯͍ Ϣʔεέʔεʹద༻Մೳ
༷ղઆ
RFCs (7515 ~ 7519) αʔϏεɺγεςϜؒͷΓͱΓʹඞཁͳϝλσʔλʁ -> RFC7519 JSON Web Token
ॺ໊ؔ࿈(ੜɺݕূɺඞཁͳύϥϝʔλ) -> RFC7515 JSON Web Signature ҉߸Խ -> RFC7516 JSON Web Encryption ҉߸Խॺ໊ͷͨΊͷ伴දݱ -> RFC7517 JSON Web Key ΞϧΰϦζϜ -> RFC7518 JSON Web Algorithms
RFC7515 JSON Web Signature
ͱ͋Δจࣈྻ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3Mi OiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ 4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
ࢲʹ͜͏ݟ͑·͢ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dH A6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
͜ͷจࣈྻͷਖ਼ମ RFC7515 JSON Web Signature JWS Compact Serialization : ୯Ұͷॺ໊Λ࣋ͭ
γϦΞϥΠζܗࣜ ෳͷॺؚ໊͕ΊΒΕΔJWS JSON Serializationͱ ͍͏ͷ͋Δ͕ΘΕ͍ͯΔͷݟ͔͚ͳ͍
Header eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
header
Header Base64 URL Encode͞ΕͨJWS Header {\"typ\":\"JWT\",\r\n \”alg\”:\”HS256\"} JWSࣗମͷछྨॺ໊ʹؔ͢ΔύϥϝʔλΛؚΉ
{“͔Β࢝·Δ෦͕eyJͱͳΔ
Payload eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
payload
Payload Base64 URL Encode͞ΕͨJWS Payload {\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http:// example.com/is_root\":true} PayloadJSONʹݶΒͳ͍͕ɺJSONʹؚΉඪ४తͳΫ
ϨʔϜ(ύϥϝʔλ)ͷ͕ RFC7519 ʹͯఆٛ͞Ε͍ͯΔ ൃߦऀɺड৴/ར༻ऀɺ༗ޮظݶͳͲ
Signature eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk Encoded
signature
Signature Base64 URL Encode͞ΕͨJWS Signature Encoded Header ͱ Encoded PayloadΛ࿈݁ͨ͠ͷ
ΛBase Stringͱͯ͠ར༻(໘ͳਖ਼نԽෆཁ) ͜ͷΛੜ͢ΔࡍͷΞϧΰϦζϜ͕RFC7518, 伴ද ݱ͕RFC7517Ͱఆٛ͞Ε͍ͯΔ
RFC7519 JSON Web Token
JWTΫϨʔϜ ʮ୭͕ൃߦʁ୭͕ར༻ʁ୭ͷσʔλΛදݱʁʯ “jti” : JWTࣗମͷࣝผࢠ.ϦϓϨΠ߈ܸରࡦͳͲʹར༻. “iss” : ൃߦऀͷࣝผࢠ.υϝΠϯαʔϏεࣝผࢠ. “sub” :
JWTͷओޠͱͳΔओମͷࣝผࢠ. ϢʔβʔͳͲ. “aud” : JWTͷड৴ऀɺར༻ऀͷࣝผࢠ
JWTΫϨʔϜ ʮ͍͔ͭΒ͍ͭ·Ͱ༗ޮʁ͍ͭൃߦ͞Εͨʁʯ “iat” : ൃߦ࣌ “exp” : ༗ޮظݶ “nbf” :
༗ޮظݶͷ։࢝࣌
JWTΫϨʔϜͷྫ (OIDC)
JWTΫϨʔϜ શͯར༻ඞਢͰͳ͍ : ίϯςΩετʹΑͬͯબ ϥΠϒϥϦʹΑͬͯݕূػೳΛ͍࣋ͬͯΔͷ ݕূͷཻͳͲɺཁ݅Λຬ͔ͨ͢ͷ֬ೝඞཁ
RFC7518 JSON Web Algorithms
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA ϋογϡؔ + ڞ༗伴Ͱॺ໊Λੜ ൃߦɺݕূ͕ಉҰͷ߹ͳͲͰར༻
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA RSAॺ໊ ൿີ伴Ͱॺ໊ੜɺެ։伴Ͱݕূ RS256͕Α͘ΘΕ͍ͯΔ͕…
ॺ໊༻ΞϧΰϦζϜ “none” : ॺ໊ͳ͠ “HS256”, “HS384”, “HS512” : HMAC SHA-XXX
“RS256”, “RS384”, “RS512” : RSASSA-PKCS1-v1_5 “PS256”, “PS384”, “PS512” : RSASSA-PSS “ES256”, “ES384”, “ES512” : ECDSA ପԁۂઢॺ໊ ൿີ伴Ͱॺ໊ੜɺެ։伴Ͱݕূ ࠷ۙͷϓϩτίϧͰESܥ͕ਓؾ
ΞϧΰϦζϜͷ͍͚ ൃߦ/ड৴͕ಉҰ : HSXXX ڞ༗ൿີ伴Λ҆શʹཧ͢Δ ൃߦ/ड৴͕ผ : RSXXX, PSXXX, ESXXX
ൃߦଆ͕ड৴ଆʹެ։伴Λ͢ ߹ʹΑ͓ͬͯޓ͍ʹެ։伴Λ͠߹͏
RFC7517 JSON Web Key
伴ʹؔ͢Δ༷ 伴ͷදݱ 伴ϖΞ(ެ։伴ɺൿີ伴)ɺରশ伴 伴ͷηοτͷදݱ ϩʔςʔγϣϯ αϙʔτ͢ΔΞϧΰϦζϜͷมߋ
伴දݱͷͨΊͷύϥϝʔλ “kty” : 伴ͷछྨ “RSA”, “EC”, “oct” “use” : “sig”
“key_ops” : “sign”, “verify” “alg” : “RS256”, … , “PS256”, … , “ES256”, … “kid” : 伴ͷࣝผࢠ “x5u”, “x5c”, “x5t”, “x5t#s256” : X.509ূ໌ॻؔ࿈
伴ͷදݱ : ରশ伴
伴ͷදݱ : ൿີ伴(RSA)
伴ͷදݱ : ެ։伴(RSA)
伴ͷදݱ : ެ։伴(ପԁۂઢ)
伴ηοτͷදݱ (Google)
Ϣʔεέʔε ༗ޮͳެ։伴ใΛެ։ jwks_url : JSON ܗࣜͰ伴ใͷηοτΛฦ͢ ઃఆϑΝΠϧͰͷอ࣋ ൿີ伴
JWT(JWS)࣮ͷϙΠϯτ
RFC8725 JSON Web Token BCP https://qiita.com/ritou/items/71e58fbc0c5605ec61cb
JSON Web SignatureΛ؆୯͔ͭ҆શʹ ͏ͨΊͷkid/typύϥϝʔλͷ͍ํ https://ritou.hatenablog.com/entry/2020/03/31/142550
JWT(JWS)Λ҆શʹ͏ͨΊ ͷϙΠϯτ PayloadʹؚΉใΛΑ͘ݕ౼͢Δ ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ෳͷJWT(JWS)Λར༻͢Δࡍ༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ
JWT(JWS)Λ҆શʹ͏ͨΊ ͷϙΠϯτ PayloadʹؚΉใΛΑ͘ݕ౼͢Δ(Ϣʔεέʔεґଘ) ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏(ϥΠϒϥϦΛར༻) ෳͷJWT(JWS)Λར༻͢Δࡍ༻్Λࢦఆ͠ɺഉଞ తʹݕূ͢Δ
PayloadʹؚΉใΛΑ͘ݕ ౼͢Δ ࣗॗ
ॺ໊ݕূॲཧΛ࣮֬ʹߦ͏ ॺ໊ݕূ࣌ͷΞϧΰϦζϜͷΛͲ͔͜ΒҾ͔͘ HeaderͷalgύϥϝʔλͷΛૉʹ͏ͱ߈ܸΛड͚ΔڪΕ noneʹมߋ͞ΕͯεΩοϓ͞ΕͨΓ RS256 -> HS256 Ͱެ։伴ͷϋογϡΛࢦఆ͞ΕͨΓ ཧ͍ͯ͠Δ伴ʹඥͮ͘Λར༻͠ɺHeaderͷͦͷͱ ͷൺֱʹཹΊΔ
༻్ͱॺ໊ݕূʹ ༻్ͷදݱͱࢦఆ ॺ໊ੜɺݕূ༻ͷ伴ͷཧ ্هͷݕূ
༻్ͷදݱͱࢦఆ ͑Δύϥϝʔλෳ͋Δ Header “typ” ύϥϝʔλ (ྫ: “secevent+jwt”) ɿ伴ཧͱ “kid” ύϥϝʔλ
: ༻్͝ͱʹ伴ࣗମΛ͚Δ Payload ಠࣗΫϨʔϜ : “usage” ͳͲ
༻్ͷදݱͱࢦఆ ͲΕΛ͏͔ॊೈʹஅ͖͢ ػೳ୯ҐͰ伴Λ͚ΒΕΔ : Header “kid” 伴पΓ͍͡Εͳ͍͕Header͍͡ΕΔ : Header “typ”
伴पΓHeader͍͡Εͳ͍ : ಠࣗΫϨʔϜ
“kid” Λ༻͍ͨ༻్ͷཧ ༻్͝ͱʹ伴ϦετΛΘ͚ɺॺ໊ݕূ࣌ʹར༻ ॺ໊ݕূͱ༻్ͷݕূΛ݉ͶΔ ਓ͕ؒΘ͔Γ͍͢Α͏ʹ “(༻్) + (ϥϯμϜͳจࣈ ྻͱ͔ͱ͔)” ͱ͍͏idʹ͢Δ
“typ” Λ༻͍ͨ༻్ͷཧ ॺ໊ݕূલʹఆͰ͖Δ ϥΠϒϥϦʹΑͬͯࢦఆͰ͖ͳ͍ɺࢦఆͰ͖ͯࣗ ಈͰݕূͰ͖ͳ͍ͷ͋ΔͷͰҙ
ಠࣗΫϨʔϜͷར༻ ॺ໊ݕূޙͷఆͱͳΔ ࢦఆɺݕূͱʹಠࣗͷ࣮ͱͳΔ
JWSੜɺݕূσϞʢΔ࣌ؒͳͦ͞͏ʣ
త ॺ໊͖ͭͷJSON Web Token(JSON Web Signature)ͷ ॺ໊ੜ/ݕূΛମݧ ࣮ͰϥΠϒϥϦΛ͏͜ͱΛ͓קΊ͠·͢ɻ
ඞཁͳػೳ ͜ΕΒͷػೳ͕ඞཁͰ͢ɻϓϩάϥϛϯάݴޠʹΑͬͯ ྻͷॲཧͳͲɺຊઆ໌ͱҟͳΔ݁ՌͱͳΔ߹͋ Γ·͢ɻ Base64 URL Encode / Decode (Paddingͳ͠)
JSON Encode / Decode HMAC-SHA256
JWTੜͷྲྀΕ 1. HeaderΛੜ 2. PayloadΛੜ 3. SignatureΛੜ 4. ࿈݁ͯ͠
(1) Header ར༻͢ΔHeaderύϥϝʔλ “typ” : “handson+JWT” # ϋϯζΦϯ༻ʹಠࣗఆٛ “alg” :
“HS256” # HMAC-SHA256 ར༻Λએݴ “kid” : “handson01” # 伴ཧΛҙࣝ͢ΔͨΊʹར༻
(1) Header 1. JSON Encode “{\"alg\":\"HS256\",\"kid\":\"handson01\",\"typ\": \"handson+JWT\"}” 2. Base64 URL
Encode “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0”
(2) Payload ૹΓ͍ͨσʔλ “Foo”:”Bar” “Hoge”:”Fuga”
(2) Payload 1. JSON Encode "{\"Foo\":\"Bar\",\"Hoge\":\"Fuga\"}" 2. Base64 URL Encode
“eyJGb28iOiJCYXIiLCJIb2dlIjoiRnVnYSJ9"
(3) Signature 1. Header, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”
(3) Signature 2. Base StringΛHMAC-SHA256ͨ͠ΛBase64 URL Encode 伴 : “THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON”
“Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM”
(4) Base StringͱSignatureͷΛ“.”Ͱ࿈݁͢Δͱ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9.Tp0zcg2nEA1r94EijoymQTTV MwH6iaLoOpxEZf3KcVM”
JWTݕূͷྲྀΕ 1. HeaderΛݕূ 2. SignatureΛݕূ 3. (PayloadΛݕূ)
(1) Header Base64 URL Decode & JSON Decodeͨ݁͠ՌΛݕূ “typ” :
“handson+JWT” # ظ͢ΔͱҰக͢Δ? “kid” : “handson01” # αϙʔτ͍ͯ͠Δ伴? “alg” : “HS256” # kidʹඥͮ͘伴ͱΞϧΰϦζϜ͕Ұ க͢Δ?
(2) Signature ੜͱಉ༷ʹHeader, PayloadΛ“.”Ͱ࿈݁ͤͯ͞Base StringΛ࡞ “eyJhbGciOiJIUzI1NiIsImtpZCI6ImhhbmRzb24wMSI sInR5cCI6ImhhbmRzb24rSldUIn0.eyJGb28iOiJCYXIi LCJIb2dlIjoiRnVnYSJ9”
(2) Signature 2. Headerʹࢦఆ͞Εͨkidʹඥͮ͘伴ͰɺBase StringΛ HMAC-SHA256ͨ͠ΛBase64 URL Encodeͯ͠ൺֱ 伴 :
“THIS_IS_SAMPLE_KEY_FOR_JWT_HANDSON” “Tp0zcg2nEA1r94EijoymQTTVMwH6iaLoOpxEZf3Kc VM” ※ެ։伴҉߸Λར༻͢Δ߹ॺ໊ݕূ༻ͷؔΛར༻
(3) Payload ॺ໊ݕূ͕ऴΘͬͨޙʹඞཁͳΒPayloadΛݕূ (ࠓճRFC7519Ͱఆٛ͞Ε͍ͯΔiss, aud, expͳͲͷΫ ϨʔϜΛؚΜͰ͍ͳ͍ͨΊݕূෆཁ)
https://jwt.io/ ͰݕূՄೳ