Différences

Ci-dessous, les différences entre deux révisions de la page.

--- web:javascript:jwt [2020/07/17 15:47] – sgariepy
+++ web:javascript:jwt [2025/03/04 15:00] (Version actuelle) – [Clé privée] sgariepy
@@ Ligne 46: / Ligne 46: @@
 | exp  | Expiration  |
+===== Exemple d'ID Token Cognito =====
+Header:
+<code json>
+{
+  "kid": "S/2sYDHJPpXvQcl8tbKE5A+AESbxu/g6JfQWXH7Jj60=",
+  "alg": "RS256"
+}
+</code>
+Payload
+<code>
+{
+  "sub": "39d769aa-f1a5-4e47-b6e0-a302f819ba82",
+  "aud": "7diiepl30kilf5fhgk1b2jf7c5",
+  "email_verified": true,
+  "event_id": "d1f41e61-5fdd-4815-a333-c5b86ca9c16e",
+  "token_use": "id",
+  "auth_time": 1595250673,
+  "iss": "https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_dWajkYc7s",
+  "cognito:username": "johndoe@gmail.com",
+  "exp": 1595254273,
+  "iat": 1595250673,
+  "email": "johndoe@gmail.com"
+}
+</code>
+====== Packages npm ======
+===== jsonwebtoken =====
+<code>
+npm install jsonwebtoken -S
+npm install @types/jsonwebtoken -D
+</code>
+Import:
+<code javascript>
+import * as jwt from 'jsonwebtoken';
+// ou
+import jwt from 'jsonwebtoken';
+</code>
+Signer:
+<code  javascript>
+const jwtToken = jwt.sign(
+  { userId },
+  this.secretsConfig.jwt,
+  {
+    algorithm: 'HS256',
+    expiresIn: '14d'
+  }
+);
+</code>
+Avec RS256:
+<code  javascript>
+const privateKey = fs.readFileSync('private.key');
+const token = jwt.sign({ foo: 'bar' }, privateKey, { algorithm: 'RS256' });
+</code>
+Vérifier:
+<code  javascript>
+const authHeader = req.header('x-auth-token');
+const token = jwt.verify(
+  authHeader,
+  secret,
+  {
+    algorithms: ['HS256']
+  }
+);
+</code>
+Verify asymetric :
+<code  javascript>
+import jwks from 'jwks-rsa’;
+const client = jwksClient({
+  jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json'
+});
+function getKey(header, callback){
+  client.getSigningKey(header.kid, function(err, key) {
+    var signingKey = key.publicKey || key.rsaPublicKey;
+    callback(null, signingKey);
+  });
+}
+jwt.verify(token, getKey, options, function(err, decoded) {
+  console.log(decoded.foo) // bar
+});
+</code>
+===== jwks-rsa =====
+Importer:
+<code>
+import jwks from 'jwks-rsa’;
+// ou
+import * as jwks from 'jwks-rsa';
+<code>
+<code>
+const jwksClient = jwksClient({
+  cache: true,
+  jwksUri: 'https://appleid.apple.com/auth/keys',
+});
+</code>
 ====== JOSE ======
+  * [[https://github.com/panva/jose/|GitHub]]
+  * [[https://github.com/panva/jose/blob/main/docs/README.md|Documentation]]
 ===== Clé privée =====
@@ Ligne 69: / Ligne 198: @@
 </code>
+==== Simple secret ====
+Si on veut créer un simple secret (qu'on utilise pas JWKS), on peut exécuter:
+<code>
+openssl rand -hex 32
+</code>
+Ajuster la longueur du secret avec le dernier paramètre (ex: 64 versus 32).
@@ Ligne 210: / Ligne 348: @@
 }
 </code>
@@ Ligne 246: / Ligne 375: @@
 ====== Ressources ======
-  * [[https://is.docs.wso2.com/en/5.9.0/learn/validating-jwt-based-on-jwks/|Validating JWT based on JWKS¶]]
+  * [[https://is.docs.wso2.com/en/5.9.0/learn/validating-jwt-based-on-jwks/|Validating JWT based on JWKS]]
+  * [[https://mkjwk.org/| mkjwk - simple JSON Web Key generator]]
+  * [[https://gist.github.com/ygotthilf/baa58da5c3dd1f69fae9|How to generate JWT RS256 key]] (gist)
+  * [[https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html|The Hard Parts of JWT Security Nobody Talks About]]
+  * [[https://auth0.com/blog/navigating-rs256-and-jwks/|Navigating RS256 and JWKS]]
+  * [[https://auth0.com/docs/tokens/references/jwks-properties|JSON Web Key Set Properties]]
+  * [[https://blog.angular-university.io/angular-jwt/|JWT: The Complete Guide to JSON Web Tokens]]