JWTS_Common_Pitfalls.pdf

1、JWTsUnderstanding Common PitfallsBruce MacDonaldUnderstand JWTs to use them securelyBy the end of this talk you should be able to accept and validate JWTs in your own service.-JWT format-Usage-Signing-SecurityHow can you assert who you are online?You need a virtual piece of ID issued by an online au

2、thority.JSON userId:abc123,”expiry:1672240428WebTokenJWTeyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VybmFtZSI6ImRlbW9AZXhhbXBsZS5jb20iLCJpc3N1ZWQiOjE2NzMxMTk2NDIyNDgsImV4cGlyZXMiOjE2NzMxMjA1NDIyNDh9.75cCU2dq9ynvcUVyvq31VXX95K8xOcs5_uh4cqKgiwgGG30P4-8Z69znGffYAeua52AG2ZM0IXKKPudq2bRthweyJ0eXAiOiJKV1Qi

3、LCJhbGciOiJIUzUxMiJ9.eyJ1c2VybmFtZSI6ImRlbW9AZXhhbXBsZS5jb20iLCJpc3N1ZWQiOjE2NzMxMTk2NDIyNDgsImV4cGlyZXMiOjE2NzMxMjA1NDIyNDh9.75cCU2dq9ynvcUVyvq31VXX95K8xOcs5_uh4cqKgiwgGG30P4-8Z69znGffYAeua52AG2ZM0IXKKPudq2bRthweyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VybmFtZSI6ImRlbW9AZXhhbXBsZS5jb20iLCJpc3N1ZWQ

4、iOjE2NzMxMTk2NDIyNDgsImV4cGlyZXMiOjE2NzMxMjA1NDIyNDh9.75cCU2dq9ynvcUVyvq31VXX95K8xOcs5_uh4cqKgiwgGG30P4-8Z69znGffYAeua52AG2ZM0IXKKPudq2bRthwHeader alg:“HS256,typ:JWTeyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VybmFtZSI6ImRlbW9AZXhhbXBsZS5jb20iLCJpc3N1ZWQiOjE2NzMxMTk2NDIyNDgsImV4cGlyZXMiOjE2NzMxMjA1ND

5、IyNDh9.75cCU2dq9ynvcUVyvq31VXX95K8xOcs5_uh4cqKgiwgGG30P4-8Z69znGffYAeua52AG2ZM0IXKKPudq2bRthwPayload email:“,iat:“1646635611301“,exp:“1646635611801“,eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VybmFtZSI6ImRlbW9AZXhhbXBsZS5jb20iLCJpc3N1ZWQiOjE2NzMxMTk2NDIyNDgsImV4cGlyZXMiOjE2NzMxMjA1NDIyNDh9.75cCU2dq9

6、ynvcUVyvq31VXX95K8xOcs5_uh4cqKgiwgGSignatureWhat is a symmetric signature?Signing Hash-Based Message Authentication CodesHeader and PayloadBase64 encodingUnique ValueSend with JWT as SignatureShared Generate HMACWhat is a symmetric signature?Validating Hash-Based Message Authentication Codes(symmetr