Skip to content

Instantly share code, notes, and snippets.

@vicly

vicly/oauth_jwt_token.md

Last active December 16, 2018 19:55
Show Gist options
  • Save vicly/bd74458ea2c0aacad4378410bdea9592 to your computer and use it in GitHub Desktop.
Save vicly/bd74458ea2c0aacad4378410bdea9592 to your computer and use it in GitHub Desktop.
Download ZIP
[OpenId OAuth2 JWT] #OAuth #JWT
Raw
oauth_jwt_token.md

ID Token

  • a JWT contains user profile information, e.g. user’s name, email, etc, represented in claims.

Access Token

  • a credential used by an application to access a protected resource, e.g. API
  • sent from client to server, server use information in the token to decide whether the client is authorised or not
  • token has expired time
  • must also be kept secret, but due to its shorter life, security considerations are less critical

Refresh Token

  • used to obtain a renewed access token by talking to auth server
  • long-lived normally, can be blacklisted by auth server
  • must be issued to a single authenticated client to prevent the use of leaked tokens by other parties
  • must be stored securely by an application because they essentially allow a user to remain authenticated forever

Sliding-sessions are sessions that expire after a period of inactivity

Raw
openid_oauth2_jwt.md

OpenID Connect for Authentication

Who You Are

OAuth2 for Authroization

What You Are Allowed To Do

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.

  • Resource Owner: You
  • Client: A mobile app is trying to read your google account basic information
  • Authorization Server:
  • Resource Server: google servers

JWT Json Web Token

A standard token data structure.

  1. Client request a token
  2. An issuer issues a token
  3. A resource consumes a token and verify token by talking to the trusted issuer
<HEAD>.<CLAIMS>.<SIGNATURE>

Header:
* metadata
* algorithms & key used

Claims:
* iss: issuer
* aud: audience
* iat: issuedAt
* exp: expiration
* sub: subject
* ...app defined claimss

JWT Sample

Encoded

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Decoded

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,

  // "client": "xyz",
  // "scope": ["read", "search"]
}

Signature

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  <a base64 encoded signature>
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment