Janua’s CTO sharing tips and tricks about OpenID and understanding JWT and signed JWT usage with RedHat SSO Keycloak
1) JWT token presentation
JWT token representation is described in RFC 7519
A JWT token is made up of 3 parts , each of them separated by a column “.” It is of the form:
Header and payload are base 64 encoded, and can easily be deciphered
consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA.
It contains the claims. Claims are statements about an entity (typically, the user) and additional metadata.
1.3.1) case of HMAC algorithm – message not compromized – symetric algorithm
The signature is used to verify the message wasn’t changed along the way
In case of secret key, the siganeture is computed as follows, case of HMAC algorithm:
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
HMAC signature does not garantee the proof of the user who has created the token.
It only indicates that teh JWT token has not been tampered with (i.e not compromized)
1.3.2) case of RSA – message not compromized – non repudiation – asymetric algorithm
As the token is signed with a private key, it can verify with the public key that the sender of the JWT is who
it says it is
It means that you need to get hold of the public key
The algorithm used is much slower than symetric algorithm (about 1000 times slower)
2) openid connect
2.1) id_token – jwt format
The openid spec defines id_token which are delivred in response to a openid request.
id_token format is JWT, which means it is exactly what has been described in previous section.
It contains fields which are defined by the openid specification
2.2) using jwt.io debugger to decipher an jwt token
The jwt.io debugger is aavailable at http://jwt.io
It is possible to display the validate very quickly and to get a grap of an an_token or JWT token using jwt.io debugger
HEADER:ALGORITHM & TOKEN TYPE
base64UrlEncode(header) + "." +
Public Key or Certificate. Enter it in plain text only if you want to verify a token
Private Key. Enter the it in plain text only if you want to generate a new token. The key never leaves your browser.
The signature cannot be verified here, as the public key used the along the private key has not been provided in this example
Hence it is indicating the error message seen here.
3) RH-SSO/Keycloak and JWT Token
RH-SSO/keycloak provides out of the the shelve HMAC and RSA algorithm when dealing with JWT token.
HMAC (symetric algoritm) is quite convenient and handy to use, but does not provide non repudiation
RSA (asymetric algoritm) does provide non repudiation, but is a much more slowers algorihtm
The user needs to get hold of the public key certificate to verify the signature
It is up to the the user to decide what is the feature teh most critical to him when dealing with JWT token: speed or non repudiation.
ECC (asymetric alogoritm) is more efficient than RSA but is not yet supported by RH-SSO/keyclaok
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Les derniers articles par Olivier Rivat (tout voir)
- Understanding Keycloak RedHat SSO Authentication - 25 mars 2019
- Using apache2 mod_auth_openidc module with Keycloak (OpenID Connect) - 21 mars 2019
- Protecting Keycloak RedHat SSO with a Reverse Proxy - 20 mars 2019