IT:AD:JWT

Summary

A JSON Web Token (JWT) is a JSON object that is defined in RFC 7519 as a safe and compact way to represent a set of information (claims) between two parties. The token is string composed of a header, a payload, and a signature (JSON Web Signature (JWS)).

header.payload.signature

The purpose of using JWT is NOT to hide data in any way (encoded and signed, not encrypted) – it is to prove that the sent data was actually created by an authentic source.

The 3 parts, separated by ., are as follows:

The Header is for describing the encryption used.

{
    "typ": "JWT",
    "alg": "HS256"
}

Payload

The payload is any valid JSON object.

IT:AD:OpenId Connect (OIDC) uses IT:AD:JWT for it's IT:AD:id_token, which looks like:

{
  "sub"       : "jsmith",
  "iss"       : "https://openid.c2id.com",
  "aud"       : "client-12345",
  "nonce"     : "n-0S6_WzA2Mj",
  "auth_time" : 1311280969,
  "acr"       : "c2id.loa.hisec",
  "iat"       : 1311280970,
  "exp"       : 1311281970,
}

Signature

The signature is a hash of a concatenation of the base64 Header and base64 Body, using the shared client secret.

JWT

The 3 parts are combined into a JWT string as follows:

var base64Header = base64urlEncode(header);
var base64Body = base64urlEncode(payload)
var signatureHash = Hash(data,secret,hashAlgorythmToUse);
var jwt = base64Header+"."+base64Body+"."+signatureHash;

Usage

IT:AD:OpenId Connect (OIDC) uses IT:AD:JWTs for passing back the IT:AD:id_token.

IT:AD:Single Page App (SPA)s embed the JWT token as Cookies or headers when accessing APIs (each has its own use case and advantages/disadvantages).

Once the client has received the JWT from a resource server, it can check the signature.

It does this by:

  • unencoding the header and body (they're not encrypted – just base64'ed).
  • from the body, can see who authenticated the client (iis).
  • Therefore, it can get the iis's shared secret, in order to
  • create a hash of the base64header and base64body.
  • if they match, the contents are good.

Note that the token is not encrypted – so can only be used with trusted components.

Examples are between IT:AD:OAuth client and resource service.

Assertions

JWT's can be used as Assertions: