IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples

Antonio Sanso <asanso@adobe.com> Fri, 25 April 2014 11:48 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E08101A0478 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 04:48:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FgS33URZElwu for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 04:48:46 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 1C9221A017B for <oauth@ietf.org>; Fri, 25 Apr 2014 04:48:45 -0700 (PDT)
Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB205.namprd02.prod.outlook.com (10.242.165.139) with Microsoft SMTP Server (TLS) id 15.0.921.12; Fri, 25 Apr 2014 11:48:37 +0000
Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.150]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.150]) with mapi id 15.00.0921.000; Fri, 25 Apr 2014 11:48:37 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
Thread-Index: AQHPYHP4mOmW3SJu7kGrJMFJQGhvh5siN7kA
Date: Fri, 25 Apr 2014 11:48:36 +0000
Message-ID: <5E2E0F9B-AB61-43AA-B182-E776C97C83FE@adobe.com>
References: <535A3AF4.4060506@gmx.net>
In-Reply-To: <535A3AF4.4060506@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.147.117.11]
x-forefront-prvs: 0192E812EC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(51694002)(199002)(189002)(377454003)(53754006)(51704005)(24454002)(74662001)(74502001)(2656002)(77982001)(79102001)(85852003)(575784001)(86362001)(83072002)(31966008)(36756003)(15975445006)(92566001)(81342001)(99286001)(80022001)(83716003)(33656001)(92726001)(20776003)(15395725003)(82746002)(15202345003)(54356999)(50986999)(46102001)(76482001)(76176999)(66066001)(87936001)(19580405001)(19580395003)(83322001)(80976001)(4396001)(81542001)(99396002)(100906001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR02MB205; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:FE6DD1D8.9A365129.BFEF31D7.8EFB6262.20536; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: adobe.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <E36EA60451F12C499444B05341FCC3B0@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qbE9CwFlYIyBUtqkYWhUdzXkh7k
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 11:48:49 -0000

hi Hannes.


On Apr 25, 2014, at 12:37 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:

> Hi all,
> 
> As a document shepherd I have to verify the entire document and this
> includes the examples as well.
> 
> Section 3.1:
> 
> You write:
> 
> "
>   The following octet sequence is the UTF-8 representation of the JWT
>   Header/JWS Header above:
> 
>   [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32,
>   34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125]
> "
> 
> The values IMHO are represented in Decimal code point rather than Octal
> UTF-8 bytes, as stated above.
> See the following online tool to see the difference:
> http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=%22&mode=char
> 
> Note that you could also show a hex encoding instead (e.g., via
> http://ostermiller.org/calc/encode.html). Hixie's decoder would then
> produce the correct decoding. Here is the link to his software:
> http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder
> (Note that this program seems to have flaws for most other options.)
> 
> When do a Base64URL encoding of
> 
> {"typ":"JWT","alg":"HS256"}
> 
> then I get
> 
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
> 
> but your spec says:
> 
> eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
> 
> Same with {"iss":"joe","exp":1300819380,"http://example.com/is_root":true}.
> 
> My result:
> eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
> 
> Your result:
> eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ

see http://www.ietf.org/mail-archive/web/oauth/current/msg11599.html

regards

antonio

> 
> Note: I am using this online tool for Base64URL encoding:
> http://kjur.github.io/jsjws/tool_b64uenc.html.
> Interestingly, when I dump the data into http://jwt.io/ then I get a
> correct decoding. It might well be that the kjur.github.io has a flaw.
> 
> Just wanted to check what tool you have used to create these encodings.
> 
> 
> Section 6.1:
> 
> The example in Section 6.1 is the same as in 3.1. Maybe it would be
> useful to show something different here.
> 
> The example in Appendix A.1 is more sophisticated since it demonstrates
> encryption. To verify it I would need to have a library that supports
> JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library
> have you been using?
> 
> I was wondering whether it would make sense to add two other examples,
> namely for integrity protection. One example showing an HMAC-based keyed
> message digest and another one using a digital signature.
> 
> Here is a simple example to add that almost all JWT libraries seem to be
> able to create and verify:
> 
> Header:
> {"alg":"HS256","typ":"JWT"}
> 
> I use the HS256 algorithm with a shared secret '12345'.
> 
> Body:
> 
> {"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":1398420753,"exp":1398424353,"iat":1398420753}
> 
> jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@example.com","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345",
> "HS256")
> 
> I used http://www.onlineconversion.com/unix_time.htm to create the
> date/time values:
> "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT
> "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT
> "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT
> 
> Here is the output created with https://github.com/progrium/pyjwt/ and
> verified with http://jwt.io/:
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1LAVcNdTsq4
> 
> Ciao
> Hannes
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email