Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web Tokens
Download as PPTX, PDF0 likes577 views
The document discusses JSON Web Tokens (JWTs) and their application in authentication and authorization using frameworks like SAML2, OAuth, and OpenID. It explains how JWTs are structured, their claims, and the security implications of using unsecured JWTs. Additionally, it mentions how Uniface technology can create and consume JWTs for web applications.
![Or from it’s original text
JSON Web Token (JWT) is a compact claims representation format intended
for space constrained environments such as HTTP Authorization headers and URI
query parameters. JWTs encode claims to be transmitted as a JSON [RFC7159]
object that is used as the payload of a JSON Web Signature (JWS) [JWS]
structure or as the plaintext of a JSON Web Encryption (JWE) [JWE]
structure, enabling the claims to be digitally signed or integrity protected with a
Message Authentication Code (MAC) and/or encrypted. JWTs are always
represented using the JWS Compact Serialization or the JWE Compact
Serialization. The suggested pronunciation of JWT is the same as the English
word "jot".
Original Klingon Text](https://image.slidesharecdn.com/jwtlecture-170921145047/85/Uniface-Lectures-Webinar-Application-Infrastructure-Security-JSON-Web-Tokens-10-320.jpg)
![Or English
JSON Web Token (JWT) is a compact claims representation format intended
for space constrained environments such as HTTP Authorization headers
and URI query parameters. JWTs encode claims to be transmitted as a
JSON [RFC7159] object that is used as the payload of a JSON Web
Signature (JWS) [JWS] structure or as the plaintext of a JSON Web
Encryption (JWE) [JWE] structure, enabling the claims to be digitally signed
or integrity protected with a Message Authentication Code (MAC) and/or
encrypted. JWTs are always represented using the JWS Compact
Serialization or the JWE Compact Serialization. The suggested pronunciation
of JWT is the same as the English word "jot".](https://image.slidesharecdn.com/jwtlecture-170921145047/85/Uniface-Lectures-Webinar-Application-Infrastructure-Security-JSON-Web-Tokens-11-320.jpg)
![Unsecured JWT
An Unsecured
JWT is a JWS using the "alg" Header Parameter value "none" and with
the empty string for its JWS Signature value, as defined in the JWA
specification [JWA]; it is an Unsecured JWS with the JWT Claims Set
as its JWS Payload.
So send me your JWT and I’ll modify
the algorithm to “none” and I can
change anything I want and it will be
ok?](https://image.slidesharecdn.com/jwtlecture-170921145047/85/Uniface-Lectures-Webinar-Application-Infrastructure-Security-JSON-Web-Tokens-18-320.jpg)
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web Tokens
- 2. Application & Infrastructure Security: JSON Web Tokens Thomas S Shore III Uniface SME
- 3. Agenda The JWT standard Applying JWT to Uniface Uniface technology to support JWT Sample application of JWT And more...
- 4. What’s the problem? Authentication SAML2 – Think single sign on / sign out (NTLM) Oauth – Google, Facebook etc Open ID – 3rd party login system Information Sharing Trusted Not complex Multi-client
- 5. SAML 2 <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs"> <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>g5eM9yPnKsmmE/Kh2qS7nfK8HoF6yHrAdNQxh70kh8pRI4KaNbYNOL9sF8F57Yd+jO6iNga8nnbwhbATKGXIZOJJSugXGAMRyZsj/rqngwTJk5KmujbqouR1SLFsbo7Iuwze933EgefBbAE4J RI7V2aD9YgmB3socPqAi2Qf97E=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQ QDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcwMDI5MjdaFw0xNTA3MTcwMDI5MjdaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAV BgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vU/6R/OBA6BKsZH4L2bIQ2cqBO7/aMfPjUPJPSn59d/f0aRqSC58YYrPuQODydUABiCknOn9yV0fEYm4bNvfj roTEd8bDlqo5oAXAUAI8XHPppJNz7pxbhZW0u35q45PJzGM9nCv9bglDQYJLby1ZUdHsSiDIpMbGgf/ZrxqawIDAQABo1AwTjAdBgNVHQ4EFgQU3s2NEpYx7wH6bq7xJFKa46jBDf4wHwYDVR0jBBgwFoAU3s2 NEpYx7wH6bq7xJFKa46jBDf4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCPsNO2FG+zmk5miXEswAs30E14rBJpe/64FBpM1rPzOleexvMgZlr0/smF3P5TWb7H8Fy5kEiByxMjaQmml/nQx6qg VVzdhaTANpIE1ywEzVJlhdvw4hmRuEKYqTaFMLez0sRL79LUeDxPWw7Mj9FkpRYT+kAGiFomHop1nErV6Q==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/> <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.(WikiPedia)
- 6. OAuth2 Complex Authorization No need to share a password Sharing between sites if required Allows Internet users to grant websites or applications access to their information on other websites but without giving them the passwords
- 7. Open ID Federated Authentication No sharing of data between providers/consumers Allows users to be authenticated by co- operating sites (known as Relying Parties or RP) using a third party service.
- 8. Why should/do you care about this? Web standards Industry standard communication Other technologies expect this! Uniface is web aware and capable There is no “out of the box” statement for this anywhere
- 9. What is JWT JWTs represent a set of claims as a JSON object that is encoded in a JWS and/or JWE structure. https://tools.ietf.org/html/rfc7519
- 10. Or from it’s original text JSON Web Token (JWT) is a compact claims representation format intended for space constrained environments such as HTTP Authorization headers and URI query parameters. JWTs encode claims to be transmitted as a JSON [RFC7159] object that is used as the payload of a JSON Web Signature (JWS) [JWS] structure or as the plaintext of a JSON Web Encryption (JWE) [JWE] structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. JWTs are always represented using the JWS Compact Serialization or the JWE Compact Serialization. The suggested pronunciation of JWT is the same as the English word "jot". Original Klingon Text
- 11. Or English JSON Web Token (JWT) is a compact claims representation format intended for space constrained environments such as HTTP Authorization headers and URI query parameters. JWTs encode claims to be transmitted as a JSON [RFC7159] object that is used as the payload of a JSON Web Signature (JWS) [JWS] structure or as the plaintext of a JSON Web Encryption (JWE) [JWE] structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. JWTs are always represented using the JWS Compact Serialization or the JWE Compact Serialization. The suggested pronunciation of JWT is the same as the English word "jot".
- 12. What’s a Claim (from Dictionary.com) Noun 6. a demand for something as due; an assertion of a right or an alleged right: He made unreasonable claims on the doctor's time. 7. an assertion of something as a fact: He made no claims to originality.
- 13. It’s like a medicine bottle Somewhat tamper- proof Labeled contents Can be traced I know who prescribed it I can see what’s in it I know who filled it I know when it is expired
- 14. How might this work? { "iss" : "CVS/pharmacy", "iat" : 1505908083, "exp" : 1537444083, "aud" : "Patient Name", "sub" : "Happy Pills", "jti" : "RX# 000000", "quantity" : "30" } eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJDVlMvcGhhcm1hY3kiLCJpYXQiOjE1M DU5MDgwODMsImV4cCI6MTUzNzQ0NDA4MywiYXVkIjoiUGF0aWVudCBOYW1lIiwic3ViIjoiSG FwcHkgUGlsbHMiLCJqdGkiOiJSWCMgMDAwMDAwIiwicXVhbnRpdHkiOiIzMCJ9.ogrVq53XPuc 77ffThZnej-DgDIfHEt1bgnsHh9_JZuU
- 15. So what does it look like? Header.Payload.Signature Signature = Encrypted Header.Payload
- 16. Here’s what we have
- 17. JWS – JSON Web Signature { “typ”: “JWT” “alg”:”HS256” } It’s a JSON Web Token (typ) It’s encoded using the HMAC SHA-256 algorithm Security Problem: alg set to none
- 18. Unsecured JWT An Unsecured JWT is a JWS using the "alg" Header Parameter value "none" and with the empty string for its JWS Signature value, as defined in the JWA specification [JWA]; it is an Unsecured JWS with the JWT Claims Set as its JWS Payload. So send me your JWT and I’ll modify the algorithm to “none” and I can change anything I want and it will be ok?
- 19. JWT Claims Set Registered Claim Names Registered with IANA (www.iana.org) o Claim Name: "iss" o Claim Description: Issuer o Change Controller: IESG o Specification Document(s): Section 4.1.1 of RFC 7519 Private Claim Names Must be unique
- 20. Registered Claims Claim Name Description iss Issuer sub Subject aud Audience exp Expiration Date time (Unix epoch) nbf Not before time (Unix epoch) Iat Issued at jti JWT ID The jti (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object. The jti claim can be used to prevent the JWT from being replayed. The jti value is case sensitive. This claim is OPTIONAL.
- 21. Validating a JWT It has at least one period (‘.’) JOSE Header is on the left BASE 64 Encoded without carriage control or whitespace Header.Payload.Signature Signature = Encrypted Header.Payload
- 23. But no Uniface We have all the technology in the product to create and consume JSON Web Tokens 1. JSON creation 2. BASE64 encoding/decoding 3. HMAC_SHA256 Encryption 4. Manipulating Web Headers
- 24. Basic Operation Uniface Web Application Uniface Web ApplicationBrowserBrowser Navigate to Web Application Redirect to JWT Login Page User enters valid username and password Login ComponentLogin Component Security Token Returned Application Checks Token verifying expiration etc Session verified Session Token added etc JWT ComponentJWT Component Request JWT Creation
- 25. Uniface particulars Encode / Decode – BASE64 $encode(BASE64, source) Encode HMAC_SHA256 $encode(HMAC_SHA256, source, security_key)
- 26. Sample Login
- 27. JWT Tester
- 28. DemoTime
- 29. Where is the stuff? It will be placed on GitHub.com/uniface and possibly uniface.info in the community samples area.