Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples

Sergey Beryozkin <sberyozkin@gmail.com> Fri, 25 April 2014 11:06 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67D1B1A03B7 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 04:06:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_tVOtbWAJPz for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 04:06:23 -0700 (PDT)
Received: from mail-ee0-x22a.google.com (mail-ee0-x22a.google.com [IPv6:2a00:1450:4013:c00::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 0852F1A017C for <oauth@ietf.org>; Fri, 25 Apr 2014 04:06:22 -0700 (PDT)
Received: by mail-ee0-f42.google.com with SMTP id d17so2713062eek.1 for <oauth@ietf.org>; Fri, 25 Apr 2014 04:06:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=uUh8oUn43Ym9YGzx5G7xkJXRWCWGd3Vpcuof2XG4d2Q=; b=ozDL6GWdSUN31+c3l+MWmV8YXxZlykajUc0B0Mu+IjBpWRQeMWd+yN4lV+YvOsh/8b 4taruf/ZN9oxsVEeUM065hTPYJAonhov2rfIfdAWFP+3JB7dRxy47xzKCHh44OuxYNSq tdupGU6DKhLc7GOUNgxuHA1mPMtadlwoLIzy+jgfjgcA+RtmP8waBLCwUTUjt75DKvQA uoIb53jKCXRTsei5Aqiz95c0/5H0JO5Bza/Rz7WTxxoF2xrjifvStbtGCbnQfyK7Hmjg gJ/Ebv0nzMGAUBbxTQ5VLu2qTIatcQRk8DHNTIVcfvVal722havgdadQOPKxmyw2oZa7 ujyw==
X-Received: by 10.14.214.198 with SMTP id c46mr10000832eep.29.1398423976190; Fri, 25 Apr 2014 04:06:16 -0700 (PDT)
Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id q41sm23953178eez.7.2014.04.25.04.06.15 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 04:06:15 -0700 (PDT)
Message-ID: <535A41A6.1040200@gmail.com>
Date: Fri, 25 Apr 2014 12:06:14 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <535A3AF4.4060506@gmx.net>
In-Reply-To: <535A3AF4.4060506@gmx.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/RpygXduTbFvDvwJb0rBsgQ1dXqs
Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 11:06:25 -0000

As far as I recall the spec example uses line separators and it can 
affect the output

Thanks, Sergey

On 25/04/14 11:37, Hannes Tschofenig wrote:
> Hi all,
>
> As a document shepherd I have to verify the entire document and this
> includes the examples as well.
>
> Section 3.1:
>
> You write:
>
> "
>     The following octet sequence is the UTF-8 representation of the JWT
>     Header/JWS Header above:
>
>     [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32,
>     34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125]
> "
>
> The values IMHO are represented in Decimal code point rather than Octal
> UTF-8 bytes, as stated above.
> See the following online tool to see the difference:
> http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=%22&mode=char
>
> Note that you could also show a hex encoding instead (e.g., via
> http://ostermiller.org/calc/encode.html). Hixie's decoder would then
> produce the correct decoding. Here is the link to his software:
> http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder
> (Note that this program seems to have flaws for most other options.)
>
> When do a Base64URL encoding of
>
> {"typ":"JWT","alg":"HS256"}
>
> then I get
>
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
>
> but your spec says:
>
> eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
>
> Same with {"iss":"joe","exp":1300819380,"http://example.com/is_root":true}.
>
> My result:
> eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
>
> Your result:
> eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
>
> Note: I am using this online tool for Base64URL encoding:
> http://kjur.github.io/jsjws/tool_b64uenc.html.
> Interestingly, when I dump the data into http://jwt.io/ then I get a
> correct decoding. It might well be that the kjur.github.io has a flaw.
>
> Just wanted to check what tool you have used to create these encodings.
>
>
> Section 6.1:
>
> The example in Section 6.1 is the same as in 3.1. Maybe it would be
> useful to show something different here.
>
> The example in Appendix A.1 is more sophisticated since it demonstrates
> encryption. To verify it I would need to have a library that supports
> JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library
> have you been using?
>
> I was wondering whether it would make sense to add two other examples,
> namely for integrity protection. One example showing an HMAC-based keyed
> message digest and another one using a digital signature.
>
> Here is a simple example to add that almost all JWT libraries seem to be
> able to create and verify:
>
> Header:
> {"alg":"HS256","typ":"JWT"}
>
> I use the HS256 algorithm with a shared secret '12345'.
>
> Body:
>
> {"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":1398420753,"exp":1398424353,"iat":1398420753}
>
> jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345",
> "HS256")
>
> I used http://www.onlineconversion.com/unix_time.htm to create the
> date/time values:
> "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT
> "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT
> "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT
>
> Here is the output created with https://github.com/progrium/pyjwt/ and
> verified with http://jwt.io/:
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1LAVcNdTsq4
>
> Ciao
> Hannes
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>