仕様書

構文

[28] JWT は、 . 区切りの部分part群で構成されます。 >>22

[29] 部分数は、 JWT簡潔直列化JWE簡潔直列化のいずれであるかによって異なります。 >>22

データモデル

[23] JSON Web Token (JWT) は、 主張群の集合JWS または JWE として符号化された JSONオブジェクト (JWT主張群集合 >>27) として表現する文字列であって、 主張群のデジタル署名MAC 適用、及び/又は暗号化を実現するものです。 >>22

[24] JWT

[25] 被入れ子JWTNested JWTは、 入れ子署名及び/又は暗号化実施employされて含まれている JWT です。被入れ子JWTにあっては JWT囲んでいるenclosing JWSJWE の構造のそれぞれ荷重平文値として使われます。 >>22

[26] 非保安済JWTUnsecured JWTは、 主張一貫性保護や暗号化をなされていない JWT です。 >>22

MIME型

[19] +jwt 構造化構文接尾辞

文脈

[15] JWT応用

関連

[8] CBOR 版の CWT もあります。

歴史

[1] draft-ietf-oauth-json-web-token-32 - JSON Web Token (JWT) ( 版) https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32

[2] draft-ietf-oauth-jwt-bearer-12 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants ( 版) http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12

[3] RFC 7519 - JSON Web Token (JWT) ( 版) https://tools.ietf.org/html/rfc7519

[4] RFC 7521 - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants ( 版) https://tools.ietf.org/html/rfc7521

[5] RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants ( 版) https://tools.ietf.org/html/rfc7523

[6] RFC 7800 - Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) ( 版) https://tools.ietf.org/html/rfc7800

[7] Volkswagen Infotainment Web Interface protocol definition () https://www.w3.org/Submission/2016/SUBM-viwi-protocol-20161213/

JWT tokens will be sent in the Authorization header, following with term JWT and a space character.

Example that assumes eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds is the actual token:

GET /<service>/<resource> HTTP/1.1

Host: 127.0.0.1:1337

Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds

[9] Stop using JWT for sessions - joepie91's Ramblings ( ()) http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

[10] Stop using JWT for sessions, part 2: Why your solution doesn't work - joepie91's Ramblings ( ()) http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/

[11] Mapbox API Documentation () https://www.mapbox.com/api-documentation/#the-token-format

Mapbox uses JSON Web Tokens (JWT) as the token format.

[12] HipChat - API v2 - Webhooks () https://www.hipchat.com/docs/apiv2/webhooks

Webhooks declared by an add-on can optionally receive a JWT authenticating the request. The JWT is sent in the Authorization header and has the same structure as the JWT sent in the signed_request query parameter for configuration pages and other UI elements:

POST /echo HTTP/1.1

Host: addon.example.com

Authorization: JWT eyJhbGciOiAiSFMyNTYiLCAi...

Content-Length: 646

Content-Type: application/json

[13] Bitbucket API () https://developer.atlassian.com/bitbucket/api/2/reference/meta/authentication

5. Bitbucket Cloud JWT Grant (urn:bitbucket:oauth2:jwt)

If your Atlassian Connect add-on uses JWT authentication, you can swap a JWT for an OAuth access token. The resulting access token represents the account for which the add-on is installed.

Make sure you send the JWT token in the Authorization request header using the "JWT" scheme (case sensitive). Note that this custom scheme makes this different from HTTP Basic Auth (and so you cannot use "curl -u").

$ curl -X POST -H "Authorization: JWT {jwt_token}" \

https://bitbucket.org/site/oauth2/access_token \

-d grant_type=urn:bitbucket:oauth2:jwt

[14] Features | Netlify () https://www.netlify.com/features/

With JWT Based Access Control you build sites with any site generator and enable granular role based permissions while delegating authentication and user management to any service that can issue JSON Web Tokens.