RFC 7519




[15] JWT応用


[8] CBOR 版の CWT もあります。


[1] draft-ietf-oauth-json-web-token-32 - JSON Web Token (JWT) ( 版) https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32

[2] draft-ietf-oauth-jwt-bearer-12 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants ( 版) http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12

[3] RFC 7519 - JSON Web Token (JWT) ( 版) https://tools.ietf.org/html/rfc7519

[4] RFC 7521 - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants ( 版) https://tools.ietf.org/html/rfc7521

[5] RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants ( 版) https://tools.ietf.org/html/rfc7523

[6] RFC 7800 - Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) ( 版) https://tools.ietf.org/html/rfc7800

[7] Volkswagen Infotainment Web Interface protocol definition () https://www.w3.org/Submission/2016/SUBM-viwi-protocol-20161213/

JWT tokens will be sent in the Authorization header, following with term JWT and a space character.

Example that assumes eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds is the actual token:

GET /<service>/<resource> HTTP/1.1


Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds

[9] Stop using JWT for sessions - joepie91's Ramblings ( ()) http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

[10] Stop using JWT for sessions, part 2: Why your solution doesn't work - joepie91's Ramblings ( ()) http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/

[11] Mapbox API Documentation () https://www.mapbox.com/api-documentation/#the-token-format

Mapbox uses JSON Web Tokens (JWT) as the token format.

[12] HipChat - API v2 - Webhooks () https://www.hipchat.com/docs/apiv2/webhooks

Webhooks declared by an add-on can optionally receive a JWT authenticating the request. The JWT is sent in the Authorization header and has the same structure as the JWT sent in the signed_request query parameter for configuration pages and other UI elements:

POST /echo HTTP/1.1

Host: addon.example.com

Authorization: JWT eyJhbGciOiAiSFMyNTYiLCAi...

Content-Length: 646

Content-Type: application/json

[13] Bitbucket API () https://developer.atlassian.com/bitbucket/api/2/reference/meta/authentication

5. Bitbucket Cloud JWT Grant (urn:bitbucket:oauth2:jwt)

If your Atlassian Connect add-on uses JWT authentication, you can swap a JWT for an OAuth access token. The resulting access token represents the account for which the add-on is installed.

Make sure you send the JWT token in the Authorization request header using the "JWT" scheme (case sensitive). Note that this custom scheme makes this different from HTTP Basic Auth (and so you cannot use "curl -u").

$ curl -X POST -H "Authorization: JWT {jwt_token}" \

https://bitbucket.org/site/oauth2/access_token \

-d grant_type=urn:bitbucket:oauth2:jwt

[14] Features | Netlify () https://www.netlify.com/features/

With JWT Based Access Control you build sites with any site generator and enable granular role based permissions while delegating authentication and user management to any service that can issue JSON Web Tokens.