SlideShare a Scribd company logo

Authorization Using JWTs

F
ForgeRock Identity Tech Talks

This document discusses the use of JSON Web Tokens (JWTs) for authorization. It provides an introduction to JWTs, describing their compact format and how they can be signed and contain claims. It then gives examples of using JWTs in OpenID Connect flows and for third-party authorization. Finally, it discusses some future use cases around hyper-scale authorization across many autonomous services and devices.

Technology
1 of 20
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
© 2016 ForgeRock. All rights reserved. Authorization Using JWTs Simon Moffatt Principal Engineer @ ForgeRock @SimonMoffatt http://www.simonmoffatt.com Blogger @ http://www.theidentitycookbook.com
© 2016 ForgeRock. All rights reserved. Contents Introduction to JWT Claims in OIDC id_token 3rd Party Authorization Future Use Cases
© 2016 ForgeRock. All rights reserved. Introduction to JWT – Part 1 l Integrate – but with caution l Correlate to known data “JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.” - RFC7519 - https://tools.ietf.org/html/rfc7519  Self Contained  Signed and/or encrypted  JSON formatted  Lots of implementation libs  Lightweight
© 2016 ForgeRock. All rights reserved. Introduction to JWT – Part 2 l Integrate – but with caution l Correlate to known data Header Payload Signature
© 2016 ForgeRock. All rights reserved. Introduction to JWT – Part 2 l Integrate – but with caution l Correlate to known data Header Payload Signature { typ: "JWT", alg: "HS256" } { "expiryTime":14688417398 58,"UserId":"smoff","AuthLe vel":"0","Locale":"en_GB"," HostName":"127.0.0.1", ...} fvD2FTo57RZp7MdoH 7vyVBmS_533TXriKNi bawEf9SY
© 2016 ForgeRock. All rights reserved. What’s the problem we are trying to solve?  “Stateful” - server side logic and verification  Traditional authorization landscape  Scale limitations  Card is granted to individual  Association and verification completed  Card presented to shop to purchase  Shop communicates to issuer to verify funds, association etc  Cash is initially granted to individual  Needs to be kept safe as no secondary factor – bearer token!  Can be exchanged without going back to bank – just verify the note locally  “Stateless” - client side logic  Modern mesh based interactions  Offline verification  Scaleable
© 2016 ForgeRock. All rights reserved. What’s the problem we are trying to solve?  “Stateful” - server side logic and verification  Traditional authorization landscape  Scale limitations  Card is granted to individual  Association and verification completed  Card presented to shop to purchase  Shop communicates to issuer to verify funds, association etc  Cash is initially granted to individual  Needs to be kept safe as no secondary factor – bearer token!  Can be exchanged without going back to bank – just verify the note locally  “Stateless” - client side logic  Modern mesh based interactions  Offline verification  Scaleable
© 2016 ForgeRock. All rights reserved. Example with OpenID Connect Can be a JWT Can also be a JWT... Can overload JWT in order to negate steps 8 & 9...
© 2016 ForgeRock. All rights reserved. Computery Demo Stuff https://commons.wikimedia.org/wiki/File:IBM_Electronic_Data_Processing_Machine_-_GPN-2000-001881.jpg Based on http://www.theidentitycookbook.com/2015/12/scripted-openid-connect-claims-and.html
© 2016 ForgeRock. All rights reserved. Example with OpenID Connect - config
© 2016 ForgeRock. All rights reserved. Example with OpenID Connect – getting the tokens
© 2016 ForgeRock. All rights reserved. Example with OpenID Connect – id_token introspection Extended Profile scope Profile scope Email scope Entitlements scope
© 2016 ForgeRock. All rights reserved. Example with 3rd Party Authorization  Leverage a token generated by a 3rd party / separate operational domain  Have resources protected via centralised Policy Decision Point  Contact the Policy Decision Point before granting access  Just-in-Time authorization – don’t need up front user knowledge, just meta data exchange “Like posting a tweet using your Facebook account without having a Twitter profile!”
© 2016 ForgeRock. All rights reserved. Computery Demo Stuff https://commons.wikimedia.org/wiki/File:IBM_Electronic_Data_Processing_Machine_-_GPN-2000-001881.jpg Based on http://www.theidentitycookbook.com/2016/05/federated-authorization-using-3rd-party.html
© 2016 ForgeRock. All rights reserved. Example with 3rd Party Authorization - config
© 2016 ForgeRock. All rights reserved. Example with 3rd Party Authorization – get the JWT Trust Correct Use User Meta Data
© 2016 ForgeRock. All rights reserved. Example with 3rd Party Authorization – response Access Granted Invalid Signature / Untrusted IDP
© 2016 ForgeRock. All rights reserved. Future use cases... The very immediate future will see an increased number of devices, API’s, services and interactions that will need authX functions applying to them API Device User
© 2016 ForgeRock. All rights reserved. Future use cases... UC#1 – Hyper scale authorization for millions of users requesting authX from any autonomous identity service UC#2 – A protected application or service wants to allow access to a user or other service, but is often “offline” and can’t communicate to central PDP UC#3 – A pin & paired internet connected washing machine wants to communicate to a smart metre, which in turn wants to communicate with the water boiler – all from different operational domains and highly federated
© 2016 ForgeRock. All rights reserved. Thank You

More Related Content

What's hot (20)

PPTX
7 major problems in blockchain
Celine George
 
PDF
Disadvantages of Blockchain
101 Blockchains
 
PDF
Stacks 2.0 Introduction ($STX)
Trevor Owens
 
PDF
PoW vs. PoS - Key Differences
101 Blockchains
 
PDF
Introduction To Solidity
101 Blockchains
 
PDF
The taxonomy of blockchain and cryptocurrency
Blockchain and CryptoAsset (K) Ltd.
 
PDF
Why is it critical for your enterprise to understand Blockchain technology an...
ISHIR
 
PDF
Blockchain Presentation
Zied GUESMI
 
PDF
Top 5 DeFi Applications
101 Blockchains
 
PDF
How To Become A Blockchain Engineer
101 Blockchains
 
PDF
Blockchain & Insurance
Ankur Nandwani
 
PPTX
Impact on the financial sector of blockchain technology
Blockchain Council
 
PDF
What is Blockchain Technology?
Pragmatic Coders
 
PDF
Seratio whitepaper educational passport distributed learning ledger (30 april...
Sajin Abdu
 
PPTX
5 ways
OliviaJune1
 
PDF
Blockchain Technology And Cryptocurrency
Eno Bassey
 
PDF
An Overview of Stablecoin
101 Blockchains
 
PDF
Donn felker etehreum
IT Strategy Group
 
PPTX
How the hospitality industry take the benefits of blockchain technology
Blockchain Council
 
PPTX
Top 10 reasons to get a blockchain expert certification
Blockchain Council
 
7 major problems in blockchain
Celine George
 
Disadvantages of Blockchain
101 Blockchains
 
Stacks 2.0 Introduction ($STX)
Trevor Owens
 
PoW vs. PoS - Key Differences
101 Blockchains
 
Introduction To Solidity
101 Blockchains
 
The taxonomy of blockchain and cryptocurrency
Blockchain and CryptoAsset (K) Ltd.
 
Why is it critical for your enterprise to understand Blockchain technology an...
ISHIR
 
Blockchain Presentation
Zied GUESMI
 
Top 5 DeFi Applications
101 Blockchains
 
How To Become A Blockchain Engineer
101 Blockchains
 
Blockchain & Insurance
Ankur Nandwani
 
Impact on the financial sector of blockchain technology
Blockchain Council
 
What is Blockchain Technology?
Pragmatic Coders
 
Seratio whitepaper educational passport distributed learning ledger (30 april...
Sajin Abdu
 
5 ways
OliviaJune1
 
Blockchain Technology And Cryptocurrency
Eno Bassey
 
An Overview of Stablecoin
101 Blockchains
 
Donn felker etehreum
IT Strategy Group
 
How the hospitality industry take the benefits of blockchain technology
Blockchain Council
 
Top 10 reasons to get a blockchain expert certification
Blockchain Council
 

Similar to Authorization Using JWTs (20)

PDF
JSON WEB TOKEN
Knoldus Inc.
 
PDF
Json web token api authorization
Giulio De Donato
 
PDF
IoT Wonderland: Understanding the Magic of OAuth2 Device Registration Flow
ForgeRock
 
PPTX
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
SohailCreation
 
PDF
NYC Identity Summit Tech Day: Authorization for the Modern World
ForgeRock
 
PDF
Jwt with flask slide deck - alan swenson
Jeffrey Clark
 
PDF
WebAuthn & FIDO2
Leonard Moustacchis
 
PPTX
Authorization for Internet of Things using OAuth 2.0
Hannes Tschofenig
 
PDF
Distributed Authorization with Open Policy Agent.pdf
Nordic APIs
 
PDF
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 
PDF
Centralise legacy auth at the ingress gateway
Andrew Kirkpatrick
 
PPTX
Codemash-2017
Kevin Cody
 
PDF
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
apidays
 
PDF
5 easy steps to understanding json web tokens (jwt)
Amit Gupta
 
PDF
Extending the Power of Consent with User-Managed Access & OpenUMA
kantarainitiative
 
PDF
Landscape
Amit Gupta
 
PDF
Landscape
Amit Gupta
 
PDF
Jwt the complete guide to json web tokens
remayssat
 
PDF
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
MikeLeszcz
 
PPTX
Internet of Things Security & Privacy
Chris Adriaensen
 
JSON WEB TOKEN
Knoldus Inc.
 
Json web token api authorization
Giulio De Donato
 
IoT Wonderland: Understanding the Magic of OAuth2 Device Registration Flow
ForgeRock
 
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
SohailCreation
 
NYC Identity Summit Tech Day: Authorization for the Modern World
ForgeRock
 
Jwt with flask slide deck - alan swenson
Jeffrey Clark
 
WebAuthn & FIDO2
Leonard Moustacchis
 
Authorization for Internet of Things using OAuth 2.0
Hannes Tschofenig
 
Distributed Authorization with Open Policy Agent.pdf
Nordic APIs
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 
Centralise legacy auth at the ingress gateway
Andrew Kirkpatrick
 
Codemash-2017
Kevin Cody
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
apidays
 
5 easy steps to understanding json web tokens (jwt)
Amit Gupta
 
Extending the Power of Consent with User-Managed Access & OpenUMA
kantarainitiative
 
Landscape
Amit Gupta
 
Landscape
Amit Gupta
 
Jwt the complete guide to json web tokens
remayssat
 
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...
MikeLeszcz
 
Internet of Things Security & Privacy
Chris Adriaensen
 
Ad

More from ForgeRock Identity Tech Talks (16)

PDF
Deep dive into the Open Banking payments flows
ForgeRock Identity Tech Talks
 
PDF
Implementing Open Banking with ForgeRock
ForgeRock Identity Tech Talks
 
PDF
Just Enough Authentication
ForgeRock Identity Tech Talks
 
PDF
Authentication
ForgeRock Identity Tech Talks
 
PDF
Anonymity, Trust, Accountability
ForgeRock Identity Tech Talks
 
PDF
Gov.uk Verify - The Journey So Far
ForgeRock Identity Tech Talks
 
PDF
EU Single Digital Market - eIDAS To The Rescue
ForgeRock Identity Tech Talks
 
PDF
Delivering Identity at Internet Scale
ForgeRock Identity Tech Talks
 
PDF
The Slow Death of Passwords
ForgeRock Identity Tech Talks
 
PDF
Steak and OAuth Pi
ForgeRock Identity Tech Talks
 
PDF
Share All The Things With UMA
ForgeRock Identity Tech Talks
 
PDF
A Deep Dive Into Identity Work Flow
ForgeRock Identity Tech Talks
 
PDF
Rethinking The Policy Agent
ForgeRock Identity Tech Talks
 
PDF
Mobile Authentication - Moving Towards a Passwordless Future
ForgeRock Identity Tech Talks
 
PDF
Blockchain
ForgeRock Identity Tech Talks
 
PDF
Introduction to SAML & OIDC
ForgeRock Identity Tech Talks
 
Deep dive into the Open Banking payments flows
ForgeRock Identity Tech Talks
 
Implementing Open Banking with ForgeRock
ForgeRock Identity Tech Talks
 
Just Enough Authentication
ForgeRock Identity Tech Talks
 
Authentication
ForgeRock Identity Tech Talks
 
Anonymity, Trust, Accountability
ForgeRock Identity Tech Talks
 
Gov.uk Verify - The Journey So Far
ForgeRock Identity Tech Talks
 
EU Single Digital Market - eIDAS To The Rescue
ForgeRock Identity Tech Talks
 
Delivering Identity at Internet Scale
ForgeRock Identity Tech Talks
 
The Slow Death of Passwords
ForgeRock Identity Tech Talks
 
Steak and OAuth Pi
ForgeRock Identity Tech Talks
 
Share All The Things With UMA
ForgeRock Identity Tech Talks
 
A Deep Dive Into Identity Work Flow
ForgeRock Identity Tech Talks
 
Rethinking The Policy Agent
ForgeRock Identity Tech Talks
 
Mobile Authentication - Moving Towards a Passwordless Future
ForgeRock Identity Tech Talks
 
Blockchain
ForgeRock Identity Tech Talks
 
Introduction to SAML & OIDC
ForgeRock Identity Tech Talks
 
Ad

Recently uploaded (20)

PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
July Patch Tuesday
Ivanti
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
Python basic programing language for automation
DanialHabibi2
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
July Patch Tuesday
Ivanti
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
Python basic programing language for automation
DanialHabibi2
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 

Authorization Using JWTs

  • 1. © 2016 ForgeRock. All rights reserved. Authorization Using JWTs Simon Moffatt Principal Engineer @ ForgeRock @SimonMoffatt http://www.simonmoffatt.com Blogger @ http://www.theidentitycookbook.com
  • 2. © 2016 ForgeRock. All rights reserved. Contents Introduction to JWT Claims in OIDC id_token 3rd Party Authorization Future Use Cases
  • 3. © 2016 ForgeRock. All rights reserved. Introduction to JWT – Part 1 l Integrate – but with caution l Correlate to known data “JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.” - RFC7519 - https://tools.ietf.org/html/rfc7519  Self Contained  Signed and/or encrypted  JSON formatted  Lots of implementation libs  Lightweight
  • 4. © 2016 ForgeRock. All rights reserved. Introduction to JWT – Part 2 l Integrate – but with caution l Correlate to known data Header Payload Signature
  • 5. © 2016 ForgeRock. All rights reserved. Introduction to JWT – Part 2 l Integrate – but with caution l Correlate to known data Header Payload Signature { typ: "JWT", alg: "HS256" } { "expiryTime":14688417398 58,"UserId":"smoff","AuthLe vel":"0","Locale":"en_GB"," HostName":"127.0.0.1", ...} fvD2FTo57RZp7MdoH 7vyVBmS_533TXriKNi bawEf9SY
  • 6. © 2016 ForgeRock. All rights reserved. What’s the problem we are trying to solve?  “Stateful” - server side logic and verification  Traditional authorization landscape  Scale limitations  Card is granted to individual  Association and verification completed  Card presented to shop to purchase  Shop communicates to issuer to verify funds, association etc  Cash is initially granted to individual  Needs to be kept safe as no secondary factor – bearer token!  Can be exchanged without going back to bank – just verify the note locally  “Stateless” - client side logic  Modern mesh based interactions  Offline verification  Scaleable
  • 7. © 2016 ForgeRock. All rights reserved. What’s the problem we are trying to solve?  “Stateful” - server side logic and verification  Traditional authorization landscape  Scale limitations  Card is granted to individual  Association and verification completed  Card presented to shop to purchase  Shop communicates to issuer to verify funds, association etc  Cash is initially granted to individual  Needs to be kept safe as no secondary factor – bearer token!  Can be exchanged without going back to bank – just verify the note locally  “Stateless” - client side logic  Modern mesh based interactions  Offline verification  Scaleable
  • 8. © 2016 ForgeRock. All rights reserved. Example with OpenID Connect Can be a JWT Can also be a JWT... Can overload JWT in order to negate steps 8 & 9...
  • 9. © 2016 ForgeRock. All rights reserved. Computery Demo Stuff https://commons.wikimedia.org/wiki/File:IBM_Electronic_Data_Processing_Machine_-_GPN-2000-001881.jpg Based on http://www.theidentitycookbook.com/2015/12/scripted-openid-connect-claims-and.html
  • 10. © 2016 ForgeRock. All rights reserved. Example with OpenID Connect - config
  • 11. © 2016 ForgeRock. All rights reserved. Example with OpenID Connect – getting the tokens
  • 12. © 2016 ForgeRock. All rights reserved. Example with OpenID Connect – id_token introspection Extended Profile scope Profile scope Email scope Entitlements scope
  • 13. © 2016 ForgeRock. All rights reserved. Example with 3rd Party Authorization  Leverage a token generated by a 3rd party / separate operational domain  Have resources protected via centralised Policy Decision Point  Contact the Policy Decision Point before granting access  Just-in-Time authorization – don’t need up front user knowledge, just meta data exchange “Like posting a tweet using your Facebook account without having a Twitter profile!”
  • 14. © 2016 ForgeRock. All rights reserved. Computery Demo Stuff https://commons.wikimedia.org/wiki/File:IBM_Electronic_Data_Processing_Machine_-_GPN-2000-001881.jpg Based on http://www.theidentitycookbook.com/2016/05/federated-authorization-using-3rd-party.html
  • 15. © 2016 ForgeRock. All rights reserved. Example with 3rd Party Authorization - config
  • 16. © 2016 ForgeRock. All rights reserved. Example with 3rd Party Authorization – get the JWT Trust Correct Use User Meta Data
  • 17. © 2016 ForgeRock. All rights reserved. Example with 3rd Party Authorization – response Access Granted Invalid Signature / Untrusted IDP
  • 18. © 2016 ForgeRock. All rights reserved. Future use cases... The very immediate future will see an increased number of devices, API’s, services and interactions that will need authX functions applying to them API Device User
  • 19. © 2016 ForgeRock. All rights reserved. Future use cases... UC#1 – Hyper scale authorization for millions of users requesting authX from any autonomous identity service UC#2 – A protected application or service wants to allow access to a user or other service, but is often “offline” and can’t communicate to central PDP UC#3 – A pin & paired internet connected washing machine wants to communicate to a smart metre, which in turn wants to communicate with the water boiler – all from different operational domains and highly federated
  • 20. © 2016 ForgeRock. All rights reserved. Thank You