{"id":2936,"date":"2021-03-25T20:36:37","date_gmt":"2021-03-25T19:36:37","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2936"},"modified":"2021-03-25T22:05:53","modified_gmt":"2021-03-25T21:05:53","slug":"jwt-java-web-token","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2936","title":{"rendered":"<span class=\"caps\">JWT<\/span> Java Web&nbsp;Token"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li>Use <a href=\"https:\/\/jwt.io\/\">https:\/\/jwt.io\/<\/a> to decode <span class=\"caps\">JWT<\/span><ul><li>It also shows the var\u00adi\u00adous parts. A <span class=\"caps\">JWT<\/span> token has mul\u00adti\u00adple parts in base64, sep\u00ada\u00adrat\u00aded by a point character.<br><img loading=\"lazy\" decoding=\"async\" width=\"550\" height=\"486\" class=\"wp-image-2938\" style=\"width: 550px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2021\/03\/Bildschirmfoto-2021-03-25-um-20.46.42.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/03\/Bildschirmfoto-2021-03-25-um-20.46.42.png 1215w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/03\/Bildschirmfoto-2021-03-25-um-20.46.42-300x265.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/03\/Bildschirmfoto-2021-03-25-um-20.46.42-1024x905.png 1024w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/03\/Bildschirmfoto-2021-03-25-um-20.46.42-768x679.png 768w\" sizes=\"auto, (max-width: 550px) 100vw, 550px\"><\/li><\/ul><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Create <span class=\"caps\">JWT<\/span>&nbsp;token<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate <span class=\"caps\">PEM<\/span> <span class=\"caps\">SSH<\/span>&nbsp;key:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl genrsa -out private.pem 2048<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate base64 from head\u00ader and payload:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ echo -n '{\"typ\":\"JWT\",\"alg\":\"RS256\",\"kid\":\"http:\/\/10.10.14.17\/private.pem\"}' | base64 -w0 | sed s\/+\/-\/ | sed -E s\/=+$\/\/\n=&gt; $header<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">$ echo -n '{\"username\":\"aaa\",\"email\":\"a@a.a\",\"admin_cap\":1}' | base64 -w0 | sed s\/+\/-\/ | sed -E s\/=+$\/\/\n=&gt; $payload<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate sig\u00adna\u00adture with the cre\u00adat\u00aded pri\u00advate&nbsp;key:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo -n \"$header.$payload\" | openssl dgst -sha256 -binary -sign private.pem | openssl enc -base64 | tr -d '\\n=' | tr -- '+\/' '-_'\n=&gt; $sig<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now, com\u00adbine all parts to the <span class=\"caps\">JWT<\/span>&nbsp;token:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$header.$payload.$sig<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can ver\u00adi\u00adfy this <span class=\"caps\">JWT<\/span> token e.g. via <a href=\"https:\/\/jwt.io\/\">https:\/\/jwt.io\/<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Use https:\/\/jwt.io\/ to decode <span class=\"caps\">JWT<\/span>&nbsp; It also shows the var\u00adi\u00adous parts. A <span class=\"caps\">JWT<\/span> token has mul\u00adti\u00adple parts in base64, sep\u00ada\u00adrat\u00aded by a point char\u00adac\u00adter. Cre\u00adate <span class=\"caps\">JWT<\/span>&nbsp;token Cre\u00adate <span class=\"caps\">PEM<\/span> <span class=\"caps\">SSH<\/span>&nbsp;key: openssl genr\u00adsa \u2011out private.pem 2048 Cre\u00adate base64 from head\u00ader and pay\u00adload: $ echo \u2011n \u2018{\u201ctyp\u201d:\u201c<span class=\"caps\">JWT<\/span>\u201d,\u201calg\u201d:\u201c<span class=\"caps\">RS256<\/span>\u201d,\u201ckid\u201d:\u201chttp:\/\/10.10.14.17\/private.pem\u201d}\u2019 | base64 \u2011w0 | sed s\/+\/-\/ | sed \u2011E&nbsp;s\/=+$\/\/&nbsp;=&gt;&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[323],"tags":[369,368],"class_list":["post-2936","post","type-post","status-publish","format-standard","hentry","category-protocol","tag-java-web-token","tag-jwt"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2936"}],"version-history":[{"count":5,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2936\/revisions"}],"predecessor-version":[{"id":2945,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2936\/revisions\/2945"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}