[OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 25 April 2014 10:48 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB0241A03A6 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 03:48:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.866
X-Spam-Level:
X-Spam-Status: No, score=-0.866 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, TRACKER_ID=1.306] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ju-gJ2he5Tb0 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 03:48:31 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 6C3F11A0366 for <oauth@ietf.org>; Fri, 25 Apr 2014 03:48:31 -0700 (PDT)
Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0Lat5o-1XJX03492e-00kM88 for <oauth@ietf.org>; Fri, 25 Apr 2014 12:48:24 +0200
Message-ID: <535A3AF4.4060506@gmx.net>
Date: Fri, 25 Apr 2014 12:37:40 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="UGdiqJkcSk99eNJ6rKcPmWfQnQI9afPHU"
X-Provags-ID: V03:K0:7/ToZGpMEJa5/n6wL84qUBkDr1i+Tzky61rRQJ/Z/Hxe8gSzgmN bw+v8zCacWOYeeNJq4RNjjoWY62/LYBbs8DvuoEs3ksghXU03WLhGcGu0QOk3CXp3gHhegY AkoOCZMhWG8XcmOIDUGLHAUZhMcS7JwgomceN8+QyJX3WLoQLy7UPM8qJ0jVT9l51Y27yON b1acT7El4UXws8kk8gBHQ==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/cpJhBy-cjcSv7N0_J5GasKd-t8k
Subject: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 10:48:33 -0000
Hi all, As a document shepherd I have to verify the entire document and this includes the examples as well. Section 3.1: You write: " The following octet sequence is the UTF-8 representation of the JWT Header/JWS Header above: [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32, 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125] " The values IMHO are represented in Decimal code point rather than Octal UTF-8 bytes, as stated above. See the following online tool to see the difference: http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=%22&mode=char Note that you could also show a hex encoding instead (e.g., via http://ostermiller.org/calc/encode.html) Hixie's decoder would then produce the correct decoding. Here is the link to his software: http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder (Note that this program seems to have flaws for most other options.) When do a Base64URL encoding of {"typ":"JWT","alg":"HS256"} then I get eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 but your spec says: eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 Same with {"iss":"joe","exp":1300819380,"http://example.com/is_root":true}. My result: eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ Your result: eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ Note: I am using this online tool for Base64URL encoding: http://kjur.github.io/jsjws/tool_b64uenc.html. Interestingly, when I dump the data into http://jwt.io/ then I get a correct decoding. It might well be that the kjur.github.io has a flaw. Just wanted to check what tool you have used to create these encodings. Section 6.1: The example in Section 6.1 is the same as in 3.1. Maybe it would be useful to show something different here. The example in Appendix A.1 is more sophisticated since it demonstrates encryption. To verify it I would need to have a library that supports JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library have you been using? I was wondering whether it would make sense to add two other examples, namely for integrity protection. One example showing an HMAC-based keyed message digest and another one using a digital signature. Here is a simple example to add that almost all JWT libraries seem to be able to create and verify: Header: {"alg":"HS256","typ":"JWT"} I use the HS256 algorithm with a shared secret '12345'. Body: {"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":1398420753,"exp":1398424353,"iat":1398420753} jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345", "HS256") I used http://www.onlineconversion.com/unix_time.htm to create the date/time values: "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT Here is the output created with https://github.com/progrium/pyjwt/ and verified with http://jwt.io/: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1LAVcNdTsq4 Ciao Hannes
- [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - E… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Sergey Beryozkin
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Antonio Sanso
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19… Mike Jones