Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 28 April 2014 08:37 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 959471A06D5 for <oauth@ietfa.amsl.com>; Mon, 28 Apr 2014 01:37:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6g5ME-TvOfG for <oauth@ietfa.amsl.com>; Mon, 28 Apr 2014 01:37:50 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 4BEDF1A009C for <oauth@ietf.org>; Mon, 28 Apr 2014 01:37:50 -0700 (PDT)
Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MU0pN-1WWGs91LTF-00Qg2x; Mon, 28 Apr 2014 10:37:48 +0200
Message-ID: <535E127B.2010504@gmx.net>
Date: Mon, 28 Apr 2014 10:34:03 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>
References: <535A3AF4.4060506@gmx.net> <CA+k3eCTyA3PPY4BLKUjwJa91ovY5v6EhbwH+Ss2OSsajJdOOPw@mail.gmail.com>
In-Reply-To: <CA+k3eCTyA3PPY4BLKUjwJa91ovY5v6EhbwH+Ss2OSsajJdOOPw@mail.gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="oXglV5iKG3lVOHlPcBuWN1lEoLA7FlgIT"
X-Provags-ID: V03:K0:hf+wSrvIv/i0r8SuOQ9MfEBEFPImDmjsWHgqxC7FDvZ3Q1jD4uO Y0apfBfYK9kWNKcTQphAOBn0VIrDdomVcjiI0BPTrnehEUKmJrjF2yppaFjue93dJRcPiL8 vXdANpkI8AiUA6kt5iNXD7evsIDfxouDvoNiaB0OQiCBas55LflhqHXU/sihWON/x9m3do0 lDxj+9qSEROTneCBBmMbQ==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/VDOThX7i140E1RzjrjDNO6KCFKw
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 08:37:52 -0000

Hi Brian,

thanks for the pointers.

It is easy to see from your code where the issue is. In your code the
\r\n sequence is added at the end of each line but due to the nature of
the ASCII draft formatting a reader only sees the \n (new line) but not
the \r carriage return.

While the draft provides the UTF-8 representation of each individual
character but, as I mentioned in my email below, none of the tools I
found produce a convenient way to use this as input for the base64url
encoding procedure.

I believe it would be good to mention that each line in the examples is
followed by the \r\n character sequence to make it easier for those who
want to re-create the examples.

What do you think?

Ciao
Hannes


On 04/25/2014 03:03 PM, Brian Campbell wrote:
> So JWT 3.1 is based entirely on, and is just a subset of, JWS Appendix
> A.1. And I've got a test which validates that example in my JOSE library
> <https://bitbucket.org/b_c/jose4j>:
> https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsUsingHmacSha256ExampleTest.java
> 
> And here's a verification of the Example Encrypted JWT from Appendix
> A.1:
> https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jwe/EncryptedJwtTest.java
> 
> The example in Section 6.1 is different than 3.1 - it's a "Plaintext
> JWT" using the "none" JWS alg. I've got verification of that one as well
> at the top of
> https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsPlaintextTest.java
> 
> 
> On Fri, Apr 25, 2014 at 4:37 AM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> 
>     Hi all,
> 
>     As a document shepherd I have to verify the entire document and this
>     includes the examples as well.
> 
>     Section 3.1:
> 
>     You write:
> 
>     "
>        The following octet sequence is the UTF-8 representation of the JWT
>        Header/JWS Header above:
> 
>        [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32,
>        34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125]
>     "
> 
>     The values IMHO are represented in Decimal code point rather than Octal
>     UTF-8 bytes, as stated above.
>     See the following online tool to see the difference:
>     http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=%22&mode=char
> 
>     Note that you could also show a hex encoding instead (e.g., via
>     http://ostermiller.org/calc/encode.html). Hixie's decoder would then
>     produce the correct decoding. Here is the link to his software:
>     http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder
>     (Note that this program seems to have flaws for most other options.)
> 
>     When do a Base64URL encoding of
> 
>     {"typ":"JWT","alg":"HS256"}
> 
>     then I get
> 
>     eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
> 
>     but your spec says:
> 
>     eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
> 
>     Same with
>     {"iss":"joe","exp":1300819380,"http://example.com/is_root":true}.
> 
>     My result:
>     eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
> 
>     Your result:
>     eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
> 
>     Note: I am using this online tool for Base64URL encoding:
>     http://kjur.github.io/jsjws/tool_b64uenc.html.
>     Interestingly, when I dump the data into http://jwt.io/ then I get a
>     correct decoding. It might well be that the kjur.github.io
>     <http://kjur.github.io> has a flaw.
> 
>     Just wanted to check what tool you have used to create these encodings.
> 
> 
>     Section 6.1:
> 
>     The example in Section 6.1 is the same as in 3.1. Maybe it would be
>     useful to show something different here.
> 
>     The example in Appendix A.1 is more sophisticated since it demonstrates
>     encryption. To verify it I would need to have a library that supports
>     JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library
>     have you been using?
> 
>     I was wondering whether it would make sense to add two other examples,
>     namely for integrity protection. One example showing an HMAC-based keyed
>     message digest and another one using a digital signature.
> 
>     Here is a simple example to add that almost all JWT libraries seem to be
>     able to create and verify:
> 
>     Header:
>     {"alg":"HS256","typ":"JWT"}
> 
>     I use the HS256 algorithm with a shared secret '12345'.
> 
>     Body:
> 
>     {"iss":"https://as.example.com","sub":"mailto:john@example.com
>     <mailto:john@example.com>","nbf":1398420753,"exp":1398424353,"iat":1398420753}
> 
>     jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@example.com
>     <mailto:john@example.com>","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345",
>     "HS256")
> 
>     I used http://www.onlineconversion.com/unix_time.htm to create the
>     date/time values:
>     "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT
>     "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT
>     "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT
> 
>     Here is the output created with https://github.com/progrium/pyjwt/ and
>     verified with http://jwt.io/:
>     eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1LAVcNdTsq4
> 
>     Ciao
>     Hannes
> 
> 
> 
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
> 
>