-
Notifications
You must be signed in to change notification settings - Fork 16
/
jwt.format.txt
102 lines (88 loc) · 6.36 KB
/
jwt.format.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
JWT
GOAL ==> #Send JSON information with crypto signature.
JWT #"JSON Web Token". JWS|JWE|JWA|JWK
application/jwt #MIME type
JWE #"JSON Web Encryption"
#ENVLOP.E_PRIVATE_KEY.JWE_IV.E_MESSAGE.E_MESSAGE_TAG
#Each part is base64'd
#Meant to communicate any type of information
ENVLOP #"JWE protected Header". Plaintext metadata|headers.
ENVLOP.alg #"KEY_ALGO"
ENVLOP.enc #"MESSAGE_ALGO"
PRIVATE_KEY #Secret key
E_PRIVATE_KEY #KEY_ALGO(PRIVATE_KEY)
JWE_IV #Random seed for a given JWE, not encrypted
MESSAGE #Message in plaintext
E_MESSAGE #MESSAGE_ALGO(MESSAGE, PRIVATE_KEY, JWE_IV, BASE64(ENVELOP))
E_MESSAGE_TAG #Generated from MESSAGE_ALGO()
JWS #"JSON Web Signature"
#ENVLOP.PAYLOAD.SIGN
#Each part is base64'd
#Meant to communicate authentication information.
ENVLOP #"JOSE Header". Plaintext metadata|headers.
#Required: typ, alg
ENVLOP.typ #"JWT"
ENVLOP.alg #"JWS_ALGO"
ENVLOP.cty #PAYLOAD_MIME
#Can be "JWT", for nested JWT
ENVLOP.x5c #PUBLIC_KEY_CERT
ENVLOP.x5u #PUBLIC_KEY_CERT_URL
ENVLOP.x5t #PUBLIC_KEY_CERT_THUMBPRINT
ENVLOP.kid #PUBLIC_KEY_ID
ENVLOP.jwk #PUBLIC_KEY
ENVLOP.jku #PUBLIC_KEY_OBJ
PAYLOAD #"Claims set". Plaintext request payload.
#Should be checked.
#All fields optional
PAYLOAD.iat #DATE_NUM. Issued time
#Should be set 60s in past in case of time drift
PAYLOAD.nbf #DATE_NUM. Start time
PAYLOAD.exp #DATE_NUM. End time
PAYLOAD.iss #ISSUER. Giving entity. Should verify
PAYLOAD.aud #AUDIENCE. Receiving entity. Should verify
PAYLOAD.sub #USER_ID
PAYLOAD.jti #JWT ID
PAYLOAD.* #Any custom properties
SIGN #Signature of ENVLOP.PAYLOAD.
#JWS_ALGO(BASE64(ENVLOP).BASE64(PAYLOAD), PRIVATEKEY)
#Can check with CRYPTO.createVerify("sha256").update(ENVLOP.PAYLOAD).verify(PUBLICKEY, SIGN, "base64")
JWA #"JSON Web Algorithm". Encryption algorithms used in JWS|JWE
KEY_ALGO #One of:
# - RSA1_5|RSA-OAEP[-256]: RSA variants
# - A128|192|256[GCM]KW: AES [GCM] Key Wrap with 128|192|256-bit key
# - with GCM, can use parameters ?iv|tag
# - dir: shared symmetric key as the CEK
# - ECDH-ES[+A128|192|256KW]: ECDH-ES with Concat KDF [+ A128|192|256KW]
# - can use parameters ?epk|apu|apv
# - PBES2-HS256|384|512+A128|192|256KW: PBES2 with HMAC SHA-256|384|512 and A128|192|256KW
# - can use parameters ?p2s|p2c
MESSAGE_ALGO #One of:
# - A128|192|256GCM: AES GCM with 128|192|256-bit key
# - A128|192|256CBC-HS256|384|512: AES CBC with SHA128|192|256 and HMAC
JWS_ALGO #One of:
# - HS256|384|512: HMAC-SHA, symmetric algo (recipient must have PRIVATE_KEY)
# - RS256|384|512: RSASSA-PKCS-v1.5 SHA, asym. also (recipient must have PUBLIC_KEY)
# - ES256|384|512: ECDSA with SHA
# - PS256|384|512: RSASSA-PSS SHA and MGF1
# - none
JWKS #"JSON Web Key set". ARR of JWK
DOMAIN/.well-known/jwks.json #"jwks_uri". Must return JWKS, as JSON
JWKS.keys #JWK_ARR
JWK #"JSON Web Key". Secret key used in JWS|JWE
JWK.alg #'ALGO' (like JWA)
JWK.kty #'RSA|EC'. ALGO family.
JWK.use #Either 'sig' (JWS, signature) or 'enc' (JWE, encryption)
JWK.key_ops #STR_ARR of purposes among:
# - 'sign|verify': hash|MAC
# - 'encrypt|decrypt': encrypt content
# - '[un]wrapKey': encrypt key
# - 'deriveKey': create key
# - 'deriveBits': create random bits
JWK.x5c #STR_ARR. x509 certificate chain
JWK.x5t #STR. x509 certificate thumbprint (SHA1)
JWK.x5u #STR. x509 URL
JWK.n #STR. Modulus of RSA public key
JWK.e #STR. Exponent of RSA public key
JWK.kid #STR. JWK ID