Janua’s CTO sharing tips and tricks about OpenID and understanding JWT and signed JWT usage with RedHat SSO Keycloak
1) JWT token presentation
JWT token representation is described in RFC 7519
https://tools.ietf.org/html/rfc7519
A JWT token is made up of 3 parts , each of them separated by a column “.” It is of the form:
- header.payload.signature
Header and payload are base 64 encoded, and can easily be deciphered
1.1) Header:
consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA.
{ "alg": "RS256", "kid": "1e9gdk7" }
1.2) Payload
It contains the claims. Claims are statements about an entity (typically, the user) and additional metadata.
PAYLOAD:DATA { "iss": "https://server.example.com", "sub": "248289761001", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970 }
1.3) Signature
1.3.1) case of HMAC algorithm – message not compromized – symetric algorithm
The signature is used to verify the message wasn’t changed along the way
In case of secret key, the siganeture is computed as follows, case of HMAC algorithm:
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Note:
HMAC signature does not garantee the proof of the user who has created the token.
It only indicates that teh JWT token has not been tampered with (i.e not compromized)
1.3.2) case of RSA – message not compromized – non repudiation – asymetric algorithm
As the token is signed with a private key, it can verify with the public key that the sender of the JWT is who
it says it is
Note:
It means that you need to get hold of the public key
The algorithm used is much slower than symetric algorithm (about 1000 times slower)
2) openid connect
2.1) id_token – jwt format
The openid spec defines id_token which are delivred in response to a openid request.
id_token format is JWT, which means it is exactly what has been described in previous section.
It contains fields which are defined by the openid specification
2.2) using jwt.io debugger to decipher an jwt token
The jwt.io debugger is aavailable at https://jwt.io
It is possible to display the validate very quickly and to get a grap of an an_token or JWT token using jwt.io debugger
Example:
eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiM2QzZTRlZGItNjk3Yi00MmVmLTk3MjktNjA1MjAxMjJiZ WE2In0.eyJqdGkiOiI4MDdhYTM4Ni1kYWE4LTQ5NDQtODE1MC0zMWMwOWUxMjYzMjgi LCJleHAiOjE1MTM0NzczMDQsIm5iZiI6MCwiaWF0IjoxNTEzNDQxMzA0LCJpc3MiOiJodHR 3wOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvcmgtcXVpY2tzdGFydCIsInN1YiI6IjIy YzQzNDI5LWI0YmEtNDRmZi1iNTdlLWQxMDk3NzlhMTQ2NyIsImF1dGhfdGltZSI6MCwic2V zc2lvbl9zdGF0ZSI6IjA0M2VkNWM0LTZiOTMtNGMwNi05YWNhLTNlMzczMzFkMTk4YSIsI nJlc291cmNlX2FjY2VzcyI6e319.KBY00Bm8kWBOoNKLnkKwWysjFrqrkIFGxjME7FocZvU HEADER:ALGORITHM & TOKEN TYPE { "alg": "RS256", "kid": "1e9gdk7" } PAYLOAD:DATA { "iss": "https://server.example.com", "sub": "248289761001", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970 } SASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), Public Key or Certificate. Enter it in plain text only if you want to verify a token , Private Key. Enter the it in plain text only if you want to generate a new token. The key never leaves your browser. )
Note:
The signature cannot be verified here, as the public key used the along the private key has not been provided in this example
Hence it is indicating the error message seen here.
3) RH-SSO/Keycloak and JWT Token
RH-SSO/keycloak provides out of the the shelve HMAC and RSA algorithm when dealing with JWT token.
HMAC (symetric algoritm) is quite convenient and handy to use, but does not provide non repudiation
RSA (asymetric algoritm) does provide non repudiation, but is a much more slowers algorihtm
The user needs to get hold of the public key certificate to verify the signature
It is up to the the user to decide what is the feature teh most critical to him when dealing with JWT token: speed or non repudiation.
ECC (asymetric alogoritm) is more efficient than RSA but is not yet supported by RH-SSO/keyclaok
- New Keycloak online training - 19 janvier 2022
- Sizing Keycloak or Redhat SSO projects - 8 juin 2021
- Keycloak.X Distribution - 28 janvier 2021