OpenID: understanding JWT and signed JWT usage with RedHat SSO Keycloak

Janua’s CTO sharing tips and tricks about OpenID and understanding JWT and signed JWT usage with RedHat SSO Keycloak

1) JWT token presentation
JWT token representation is described in RFC 7519
https://tools.ietf.org/html/rfc7519

A JWT token is made up of 3 parts , each of them separated by a column “.” It is of the form:

• header.payload.signature

Header and payload are base 64 encoded, and can easily be deciphered

1.1) Header:
consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA.

{
"alg": "RS256",
"kid": "1e9gdk7"
}

1.2) Payload
It contains the claims. Claims are statements about an entity (typically, the user) and additional metadata.

PAYLOAD:DATA

{
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970
}

1.3) Signature

1.3.1) case of HMAC algorithm – message not compromized – symetric algorithm
The signature is used to verify the message wasn’t changed along the way

In case of secret key, the siganeture is computed as follows, case of HMAC algorithm:

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Note:
HMAC signature does not garantee the proof of the user who has created the token.
It only indicates that teh JWT token has not been tampered with (i.e not compromized)

1.3.2) case of RSA – message not compromized – non repudiation – asymetric algorithm

As the token is signed with a private key, it can verify with the public key that the sender of the JWT is who
it says it is

Note:
It means that you need to get hold of the public key
The algorithm used is much slower than symetric algorithm (about 1000 times slower)

2) openid connect

2.1) id_token – jwt format
The openid spec defines id_token which are delivred in response to a openid request.
id_token format is JWT, which means it is exactly what has been described in previous section.
It contains fields which are defined by the openid specification

2.2) using jwt.io debugger to decipher an jwt token

The jwt.io debugger is aavailable at https://jwt.io

It is possible to display the validate very quickly and to get a grap of an an_token or JWT token using jwt.io debugger

Example:

eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiM2QzZTRlZGItNjk3Yi00MmVmLTk3MjktNjA1MjAxMjJiZ
WE2In0.eyJqdGkiOiI4MDdhYTM4Ni1kYWE4LTQ5NDQtODE1MC0zMWMwOWUxMjYzMjgi
LCJleHAiOjE1MTM0NzczMDQsIm5iZiI6MCwiaWF0IjoxNTEzNDQxMzA0LCJpc3MiOiJodHR
3wOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvcmgtcXVpY2tzdGFydCIsInN1YiI6IjIy
YzQzNDI5LWI0YmEtNDRmZi1iNTdlLWQxMDk3NzlhMTQ2NyIsImF1dGhfdGltZSI6MCwic2V
zc2lvbl9zdGF0ZSI6IjA0M2VkNWM0LTZiOTMtNGMwNi05YWNhLTNlMzczMzFkMTk4YSIsI
nJlc291cmNlX2FjY2VzcyI6e319.KBY00Bm8kWBOoNKLnkKwWysjFrqrkIFGxjME7FocZvU

HEADER:ALGORITHM & TOKEN TYPE

{
"alg": "RS256",
"kid": "1e9gdk7"
}

PAYLOAD:DATA

{
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970
}

SASHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),

Public Key or Certificate. Enter it in plain text only if you want to verify a token
,

Private Key. Enter the it in plain text only if you want to generate a new token. The key never leaves your browser.

)

Note:
The signature cannot be verified here, as the public key used the along the private key has not been provided in this example
Hence it is indicating the error message seen here.

3) RH-SSO/Keycloak and JWT Token

RH-SSO/keycloak provides out of the the shelve HMAC and RSA algorithm when dealing with JWT token.

HMAC (symetric algoritm) is quite convenient and handy to use, but does not provide non repudiation

RSA (asymetric algoritm) does provide non repudiation, but is a much more slowers algorihtm
The user needs to get hold of the public key certificate to verify the signature

It is up to the the user to decide what is the feature teh most critical to him when dealing with JWT token: speed or non repudiation.

ECC (asymetric alogoritm) is more efficient than RSA but is not yet supported by RH-SSO/keyclaok

• À propos
• Articles récents

janua

Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.

Les derniers articles par janua (tout voir)

• New Keycloak online training - 19 janvier 2022
• Sizing Keycloak or Redhat SSO projects - 8 juin 2021
• Keycloak.X Distribution - 28 janvier 2021