Oauth2 study - rlaich/avctrec GitHub Wiki
This wiki page log Abstract of Oauth2.0/JWT
Oauth 2.0 Protocol Flow
Reference RFC-6749 section 1.2
The key item of Oauth 2.0 is Access Token, JWT is the well known solution of access token.
JSON Web Token (JWT)
Abstract
JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
Format
JWT is composed by 3 parts, divide by ".". Each part is a base64url string format. JWT is used in WEB/REST request Authorization header, value started by "Bearer"
- Header.Payload.Signature
- "Authorization" : "Bearer JWT"
- Header and Pyaload in JSON
JWT Header (JOSE Header)
{
"alg":"RS256",
"typ":"JWT“
}
JWT payload (JWT Claims Set)
{
"iss": "https://contoso.org/services/oauth2",
"sub": "Oauth_user",
"aud": "913232B78A9411E78085BA0EE82E0216",
"scope": "Redfish.Role.Administrator“,
"exp": 1686834000,
"nbf": 1686834000,
"iat": 1686834000,
"jti": "97d52311-5f55-4482-b947-8a70c326fdfd"
}
Generate JWT flow prototype (RS256) on Linux
1. to generate a key pair by the below command
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 10000 -nodes
2. To generate the JWT token
# the below command is used to generate a base64URL string
#echo -n "Some_data_to_be_converted" | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n'
HEADER=`echo -n '{"alg":"RS256","typ":"JWT"}' | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n'`
PAYLOAD=`echo -n '{"sub":"1234567890","name":"John Doe","admin":true,"iat":1516239022}' | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n'`
echo $HEADER.$PAYLOAD > tmp_data
openssl dgst -binary -sha256 -sign key.pem -out sign.sha256 tmp_data
SIGN=`cat sign.sha256 | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n'`
echo $SIGN
cat tmp_data > jwt.b64
echo -n "." >> jwt.b64
echo -n $SIGN >> jwt.b64
3. validate the signature
# to extract the public key from the certificate
openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
# to verify the signature
openssl dgst -sha256 -verify pubkey.pem -signature sign.sha256 tmp_data
JSON Web Key (JWK)
Abstract
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.
Example (ES512)
{
"crv": "P-521",
"x": "Wh6LzU2hK5uc4lohpxoIjrz1JVMMtOZgw2RugMB9yX0XnyzlLfX1rqUCFUGtP5J0yGNgYpiLH0vrKXFLBeYP4Vo",
"y": "3hR5K7zX9V-r_PB_11V6VDfrjHoleS7rFiROpp77rbdcZpkj4vWG3NWzmnKnie0dvDzP0rJSlAa2qwG2iTqDcMU",
"kty": "EC",
"kid": "_Vyl0IIm9wVZZa01k8_IehJ7OITwGdg71s335EiXvyM"
}
Work test note
- Schema : AccountService.v1_10_0.json
- Mode :
- Schema defined : Discover mode/Offline mode
- Test target :Offline mode
- Implemented properties
- Mode :
{..."OAuth2": {
"ServiceEnabled": true,
"OAuth2Service": {
"Issuer": "",
"OAuthServiceSigningKeys": "eyJrZXlzIjogW3siY3J2IjogIlAtNTIxIiwgIngiOiAiV2g2THpVMmhLNXVjNGxvaHB4b0lqcnoxSlZNTXRPWmd3MlJ1Z01COXlYMFhueXpsTGZYMXJxVUNGVUd0UDVKMHlHTmdZcGlMSDB2cktYRkxCZVlQNFZvIiwgInkiOiAiM2hSNUs3elg5Vi1yX1BCXzExVjZWRGZyakhvbGVTN3JGaVJPcHA3N3JiZGNacGtqNHZXRzNOV3ptbktuaWUwZHZEelAwckpTbEFhMnF3RzJpVHFEY01VIiwgImt0eSI6ICJFQyIsICJraWQiOiAiX1Z5bDBJSW05d1ZaWmEwMWs4X0llaEo3T0lUd0dkZzcxczMzNUVpWHZ5TSJ9XX0=",
"Audience": [
"83993184C29B4E7E9E609A5C5F5E0850"
],
"Mode": "Offline"
}
},...}
-
Supported JWT algorithm
- RS256/RS384/RS512
- RSA signature algorithm with SHA-256/SHA-384/SHA-512 hash algorithm
- ES256/ES384/ES512
- ECDSA signature algorithms with SHA-256/SHA-384/SHA-512 hash algorithm
- ECDSA algorithm for each hash algorithm
- prime256v1/secp384r1/secp521r1
- ECDSA algorithm for each hash algorithm
- ECDSA signature algorithms with SHA-256/SHA-384/SHA-512 hash algorithm
- RS256/RS384/RS512
-
Generate key pair for ES256/ES384/ES512
ES256
openssl ecparam -name prime256v1 -genkey -noout -out eckey.pem
openssl pkcs8 -topk8 -nocrypt -in eckey.pem -out key.pem
openssl ec -in key.pem -pubout > pubkey.pem
ES384
openssl ecparam -name secp384r1 -genkey -noout -out eckey.pem
openssl pkcs8 -topk8 -nocrypt -in eckey.pem -out key.pem
openssl ec -in key.pem -pubout > pubkey.pem
ES512
openssl ecparam -name secp521r1 -genkey -noout -out eckey.pem
openssl pkcs8 -topk8 -nocrypt -in eckey.pem -out key.pem
openssl ec -in key.pem -pubout > pubkey.pem
- Test scope
- Test implemented property in AccountService resource.
- Property value, PATCH property
- Test JWT with Administrator(Role/Privilege) of each supported algorithm can access REST.
- Test JWT with assign different Role, test JWT access REST behavior match Role.
- Test JWT with assign different Privilege, test JWT access REST behavior match Role.
- Test Payload claims
- Required claims : iss, sub, aud, scope
- Optional claims : exp, nbf, iat, jti
- Test implemented property in AccountService resource.