The Token Connection

How JWS, JWK, and certificates play together

Different JWS and JWK incarnations
JWS, JWK, and certificate connections

The basic token

Illustrated JWT with header and claims
Illustrated JWT with header and claims
The basic JWT with header parameters and claims
eyJhbGciOiJub25lIn0.e30.

Adding token integrity

Illustrated JWS with header, claims and signature
Illustrated JWS with header, claims and signature
JWS with header, claims, and signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.Et9HFtf9R3GEMA0IICOfFMVXY7kkTX1wr4qCyhIf58U

Verifying token integrity

The key ID

The JWK and JWK Set

The JWK Set URL

JWS pointing to a JWK in a JWK Set
JWS pointing to a JWK in a JWK Set
JWS and JWK Set

An embedded key

An embedded certificate

A certificate URL

A JWS pointing to a certificate chain via its x5u parameter
A JWS pointing to a certificate chain via its x5u parameter
JWS and Certificate Chain

Verifying key integrity

Server validation

An embedded certificate

A certificate URL

A JWS pointing to a JWK in a JWK set. The JWK points to a certificate chain.
A JWS pointing to a JWK in a JWK set. The JWK points to a certificate chain.
JWS with JWK Set and certificate chain

Real-life examples

Self-encoded access tokens

OpenID Connect ID Token and Userinfo

Introspection and Libraries

Summary

Freelance Fullstack Deveoper, Head or Security at https://www.comuny.de

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store