[28]
JWT
は、
.
区切りの部分群で構成されます。
>>22
[23] JSON Web Token (JWT) は、 主張群の集合を JWS または JWE として符号化された JSONオブジェクト (JWT主張群集合 >>27) として表現する文字列であって、 主張群のデジタル署名、 MAC 適用、及び/又は暗号化を実現するものです。 >>22
[25] 被入れ子JWTは、 入れ子に署名及び/又は暗号化が実施されて含まれている JWT です。被入れ子JWTにあっては JWT は囲んでいる JWS や JWE の構造のそれぞれ荷重や平文値として使われます。 >>22
[1] draft-ietf-oauth-json-web-token-32 - JSON Web Token (JWT) ( 版) https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32
[2] draft-ietf-oauth-jwt-bearer-12 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants ( 版) http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12
[3] RFC 7519 - JSON Web Token (JWT) ( 版) https://tools.ietf.org/html/rfc7519
[4] RFC 7521 - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants ( 版) https://tools.ietf.org/html/rfc7521
[5] RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants ( 版) https://tools.ietf.org/html/rfc7523
[6] RFC 7800 - Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) ( 版) https://tools.ietf.org/html/rfc7800
JWT tokens will be sent in the Authorization header, following with term JWT and a space character.
Example that assumes eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds is the actual token:
GET /<service>/<resource> HTTP/1.1
Host: 127.0.0.1:1337
Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.xuEv8qrfXu424LZk8bVgr9MQJUIrp1rHcPyZw_KSsds
[9] Stop using JWT for sessions - joepie91's Ramblings ( ()) http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
[10] Stop using JWT for sessions, part 2: Why your solution doesn't work - joepie91's Ramblings ( ()) http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/
Mapbox uses JSON Web Tokens (JWT) as the token format.
Webhooks declared by an add-on can optionally receive a JWT authenticating the request. The JWT is sent in the Authorization header and has the same structure as the JWT sent in the signed_request query parameter for configuration pages and other UI elements:
POST /echo HTTP/1.1
Host: addon.example.com
Authorization: JWT eyJhbGciOiAiSFMyNTYiLCAi...
Content-Length: 646
Content-Type: application/json
5. Bitbucket Cloud JWT Grant (urn:bitbucket:oauth2:jwt)
If your Atlassian Connect add-on uses JWT authentication, you can swap a JWT for an OAuth access token. The resulting access token represents the account for which the add-on is installed.
Make sure you send the JWT token in the Authorization request header using the "JWT" scheme (case sensitive). Note that this custom scheme makes this different from HTTP Basic Auth (and so you cannot use "curl -u").
$ curl -X POST -H "Authorization: JWT {jwt_token}" \
https://bitbucket.org/site/oauth2/access_token \
-d grant_type=urn:bitbucket:oauth2:jwt
With JWT Based Access Control you build sites with any site generator and enable granular role based permissions while delegating authentication and user management to any service that can issue JSON Web Tokens.