JSON Web Token

22 views
Skip to first unread message

Dick Hardt

unread,
Oct 22, 2009, 6:12:42 PM10/22/09
to WRA...@googlegroups.com

Suggested changes to JSON format:

 

Use URL Safe JSON (‘-‘,’_’ instead of ‘+’,’/’, and no LFs and no padding)

Use dot ‘.’ Instead of “:” as delimiter as it is URL safe

Include HMAC in a second JSON that includes signature metadata rather than just appending base64 of HMAC. Makes it easy to have alternative signature methods, or support for encryption.

 

Here are specifics:

 

token: the attributes such as Issuer and Audience of the Access Token

 

signature: the method for how the token is signed or encrypted, and the signature or other information needed

 

urlsafe_base64encode(to_json(token)) + ‘.’ + urlsafe_base64encode(to_json(signature))

 

Example:

 

token is

$VAR1 = {

          'com.example.auth.scope' => 'status_update',

          'com.example.auth.account' => 'Jane',

          'com.example.auth.client' => 'music.example.com',

          'ExpiresOn' => 1262438123,

          'Audience' => 'status.example.com',

          'Issuer' => 'auth.example.com'

        };

 

tokenJSON is {"com.example.auth.scope":"status_update","com.example.auth.account":"Jane","ExpiresOn":1262438123,"com.example.auth.client":"music.example.com","Audience":"status.example.com","Issuer":"auth.example.com"}

 

HMAC key in base64 is "MfdWTc+v9MXhpc+d/csoKFMPfj1RySm6CzIjmTBGN6w="

 

signature is

$VAR1 = {

          'hmac' => '­sÀDüFÙe`šEÌÌ| íIë        GϹïP·¯ƒ5¡#­',

          'method' => 'HMACSHA256'

        };

 

signatureJSON is {"hmac":"­sÀDüFÙe`šEÌÌ|\u0014íIë\tGϹïP·¯ƒ5¡#\u001f","method":"HMACSHA256"}

 

access_token length is 377 bytes and value is

 eyJjb20uZXhhbXBsZS5hdXRoLnNjb3BlIjoic3RhdHVzX3VwZGF0ZSIsImNvbS5leGFtcGxlLmF1dGguYWNjb3VudCI6IkphbmUiLCJFeHBpcmVzT24iOjEyNjI0MzgxMjMsImNvbS5leGFtcGxlLmF1dGguY2xpZW50IjoibXVzaWMuZXhhbXBsZS5jb20iLCJBdWRpZW5jZSI6InN0YXR1cy5leGFtcGxlLmNvbSIsIklzc3VlciI6ImF1dGguZXhhbXBsZS5jb20ifQ.eyJobWFjIjoirXPARPyQRtllYJpFzMx8XHUwMDE07UnrXHRHz7nvULevgzWhI1x1MDAxZiIsIm1ldGhvZCI6IkhNQUNTSEEyNTYifQ

 

Dick Hardt

unread,
Oct 22, 2009, 9:02:29 PM10/22/09
to WRA...@googlegroups.com

Realized the JSON will expect UTF-8 rather than binary data. So having a binary HMAC is not going work. Base64 encoding a Base64 encoding is rather ugly.

 

          'hmac' => '­sÀDü FÙe`šEÌÌ|íIë        GϹïP·¯ƒ5¡#­',

          'method' => 'HMACSHA256'

        };

 

signatureJSON is {"hmac":"­sÀDü FÙe`šEÌÌ|\u0014íIë\tGϹïP·¯ƒ5¡#\u001f","method":"HMACSHA256"}

Reply all
Reply to author
Forward
0 new messages