select jwt_ninja.jwt_generate as token from dual; TOKEN -------------------------------------------------------------------------------- eyAiYWxnIjogIkhTMjU2IiwgInR5cCI6ICJKV1QiIH0."> select jwt_ninja.jwt_generate as token from dual; TOKEN -------------------------------------------------------------------------------- eyAiYWxnIjogIkhTMjU2IiwgInR5cCI6ICJKV1QiIH0." />

codemonth.dk

One project every month - making stuff better ...

JWT - JSON Web Tokens

After having worked on a couple of SAML issues, trying to debug some encryption errors, I was getting really tired of really big SAML messages.

So I started looking around for alternatives, and found the JWT website. A lot more straight forward and plenty secure for what most people are looking to do with security tokens.

To quote from the website:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

  • Compact: Because of its smaller size, JWTs can be sent through an URL, POST parameter, or inside an HTTP header. Additionally, the smaller size means transmission is fast.
  • Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.

To understand the installation process and see the prerequisites check out the github readme, that will always be update with the latest installation information.

Once you have the package installed, it is simply using the jwt_generate function to create the JWT tokens.:


SQL> @temp/demo1

Generating all default empty token with "secret" as the encryption key

SQL> select jwt_ninja.jwt_generate as token from dual;

TOKEN
--------------------------------------------------------------------------------
eyAiYWxnIjogIkhTMjU2IiwgInR5cCI6ICJKV1QiIH0.eyAiaWF0IjogMTQ2NjIwNjM3NTAwMH0.g5vQ
yVV2SWudcsconSlxFGE57ef7C31x003tX98zT5Y


Setting the signature secret key to something non-default

SQL> select jwt_ninja.jwt_generate(p_signature_key => 'my secret key') as token from dual;

TOKEN
--------------------------------------------------------------------------------
eyAiYWxnIjogIkhTMjU2IiwgInR5cCI6ICJKV1QiIH0.eyAiaWF0IjogMTQ2NjIwNjM3NTAwMH0.g5vQ
yVV2SWudcsconSlxFGE57ef7C31x003tX98zT5Y


Setting registered claims in the payload.
...............................................

Setting subject.

SQL> select jwt_ninja.jwt_generate(p_reg_claim_subject => 'security-root-access') as token from dual;

TOKEN
--------------------------------------------------------------------------------
eyAiYWxnIjogIkhTMjU2IiwgInR5cCI6ICJKV1QiIH0.eyAiaWF0IjogMTQ2NjIwNjM3NTAwMCwgInN1
YiI6ICJzZWN1cml0eS1yb290LWFj
Y2VzcyJ9.nKgbooEzNbPAUnCEmFfQLPagb//8yRliJ7Giyy2IB+8


Setting JWTID.

SQL> select jwt_ninja.jwt_generate(p_reg_claim_jwtid => '123-456-789') as token from dual;

TOKEN
--------------------------------------------------------------------------------
eyAiYWxnIjogIkhTMjU2IiwgInR5cCI6ICJKV1QiIH0.eyAiaWF0IjogMTQ2NjIwNjM3NTAwMCwgImp0
aSI6ICIxMjMtNDU2LTc4OSJ9.UJFFEhYWF9BpIikyDfZqapngxDBhPyppr+8L24rfxCY


Setting Expiry date of token to 2 hours after current time.

SQL> select jwt_ninja.jwt_generate(p_reg_claim_expiration => sysdate+((1/24)*2)) from dual;

JWT_NINJA.JWT_GENERATE(P_REG_CLAIM_EXPIRATION=>SYSDATE+((1/24)*2))
--------------------------------------------------------------------------------
eyAiYWxnIjogIkhTMjU2IiwgInR5cCI6ICJKV1QiIH0.eyAiaWF0IjogMTQ2NjIwNjM3NTAwMCwgImV4
cCI6IDE0NjYyMTM1NzUwMDB9.F7X+D8P+WKQzkNVDkPQDJg5DyyK9yGMmfAIIsvjTukM


Setting activation time of token to 5 hours after current time.

SQL> select jwt_ninja.jwt_generate(p_reg_claim_notbefore => sysdate+((1/24)*5)) from dual;

JWT_NINJA.JWT_GENERATE(P_REG_CLAIM_NOTBEFORE=>SYSDATE+((1/24)*5))
--------------------------------------------------------------------------------
eyAiYWxnIjogIkhTMjU2IiwgInR5cCI6ICJKV1QiIH0.eyAiaWF0IjogMTQ2NjIwNjM3NTAwMCwgIm5i
ZiI6IDE0NjYyMjQzNzUwMDB9.c8+2sUSbkAOiOyxfXD1FdGFgnJm0E0RDlk9xM4AdDeY

SQL> 

So please always remember to at least set the p_signature_key input parameter, so you are not using the default key "secret" as the encryption/MAC id when creating the token.

The next step is that I will create the verify and parse functions, so that the full RFC implementation is complete

Tagged in : DBMS_CRYPTO