So JWT 3.1 is based entirely on, and is just a subset of, JWS Appendix A.1. And I've got a test which validates that example in my JOSE library<https://bitbucket.org/b_c/jose4j>: https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsUsingHmacSha256ExampleTest.java
And here's a verification of the Example Encrypted JWT from Appendix A.1: https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jwe/EncryptedJwtTest.java The example in Section 6.1 is different than 3.1 - it's a "Plaintext JWT" using the "none" JWS alg. I've got verification of that one as well at the top of https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsPlaintextTest.java On Fri, Apr 25, 2014 at 4:37 AM, Hannes Tschofenig < hannes.tschofe...@gmx.net> wrote: > Hi all, > > As a document shepherd I have to verify the entire document and this > includes the examples as well. > > Section 3.1: > > You write: > > " > The following octet sequence is the UTF-8 representation of the JWT > Header/JWS Header above: > > [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32, > 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125] > " > > The values IMHO are represented in Decimal code point rather than Octal > UTF-8 bytes, as stated above. > See the following online tool to see the difference: > http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=%22&mode=char > > Note that you could also show a hex encoding instead (e.g., via > http://ostermiller.org/calc/encode.html). Hixie's decoder would then > produce the correct decoding. Here is the link to his software: > http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder > (Note that this program seems to have flaws for most other options.) > > When do a Base64URL encoding of > > {"typ":"JWT","alg":"HS256"} > > then I get > > eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 > > but your spec says: > > eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 > > Same with {"iss":"joe","exp":1300819380,"http://example.com/is_root > ":true}. > > My result: > > eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ > > Your result: > > eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ > > Note: I am using this online tool for Base64URL encoding: > http://kjur.github.io/jsjws/tool_b64uenc.html. > Interestingly, when I dump the data into http://jwt.io/ then I get a > correct decoding. It might well be that the kjur.github.io has a flaw. > > Just wanted to check what tool you have used to create these encodings. > > > Section 6.1: > > The example in Section 6.1 is the same as in 3.1. Maybe it would be > useful to show something different here. > > The example in Appendix A.1 is more sophisticated since it demonstrates > encryption. To verify it I would need to have a library that supports > JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library > have you been using? > > I was wondering whether it would make sense to add two other examples, > namely for integrity protection. One example showing an HMAC-based keyed > message digest and another one using a digital signature. > > Here is a simple example to add that almost all JWT libraries seem to be > able to create and verify: > > Header: > {"alg":"HS256","typ":"JWT"} > > I use the HS256 algorithm with a shared secret '12345'. > > Body: > > {"iss":"https://as.example.com","sub":"mailto:j...@example.com > ","nbf":1398420753,"exp":1398424353,"iat":1398420753} > > jwt.encode({"iss":"https://as.example.com","sub":"mailto:j...@example.com > ","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345", > "HS256") > > I used http://www.onlineconversion.com/unix_time.htm to create the > date/time values: > "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT > "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT > > Here is the output created with https://github.com/progrium/pyjwt/ and > verified with http://jwt.io/: > > eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1LAVcNdTsq4 > > Ciao > Hannes > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
