« JWT » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
 
(18 versions intermédiaires par le même utilisateur non affichées)
Ligne 2 : Ligne 2 :
JSON Web Token
JSON Web Token


== Access token ==
== Access token (authorization) ==
Access tokens are used to inform an API that the bearer of the token has been authorized to access the API and perform a predetermined set of actions specified by the scope. It is used to authorize API access.<br>
Access tokens are used to inform an API that the bearer of the token has been authorized to access the API and perform a predetermined set of actions specified by the scope. It is used to authorize API access.<br>
The token is generated after a user successfully authenticates and authorizes access.<br>
The token is generated after a user successfully authenticates and authorizes access.<br>
Ligne 9 : Ligne 9 :
This is what makes it useful for securing an API, but not for authenticating a user.<br>
This is what makes it useful for securing an API, but not for authenticating a user.<br>
An access token is put in the {{boxx|Authorization}} header of your request, then the API verifies the token and grant access regarding the scope.
An access token is put in the {{boxx|Authorization}} header of your request, then the API verifies the token and grant access regarding the scope.
{| class="wikitable wtp wtmono1"
! token key
! description
|-
| scope || list of authorized accesses
|-
| sub || subject: unique identifier of the user
|}


== ID token ==
== ID token (authentication) ==
The ID token is used to retrieve the user’s basic profile information like name, DOB, email, and phone, which is present in the authentication server.<br>
It should not be used to gain access to an API.<br>
OpenID Connect always issues ID tokens along with access tokens to provide compatibility with OAuth.<br>
OpenID Connect always issues ID tokens along with access tokens to provide compatibility with OAuth.<br>
ID token carries personal information about end-users that authenticate on an OpenID Connect flow.
ID token carries personal information about end-users that authenticate on an OpenID Connect flow.
Ligne 17 : Ligne 27 :
! description
! description
|-
|-
| aud || Audience: a specific application that should consume the token
| aud || audience: an id of the application that should consume the token
|-
| auth_time || date of the authentication
|-
| iss || url of the issuer of the token (AWS cognito, AAD)
|-
| sub || subject: unique identifier of the user
|}
|}


= Content token =
== Refresh token ==
The refresh token is used to request new access tokens without user interaction.
 
= Token keys =
{| class="wikitable wtp wtmono1"  
{| class="wikitable wtp wtmono1"  
! token key
! description
|-
|-
| aud || AUDience || {{boxx|https://*.onmicrosoft.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}} xxx=AppId
| auth_time || date of the authentication (nb of seconds since Epoch: 1970-01-01T00:00:00Z UTC)
|-
| iss || ISSuer || {{boxx|https://sts.windows.net/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/}} yyy=
|-
|-
| iat || Issued AT || date de la demande. Nombre de secondes depuis Epoch (1970-01-01T00:00:00Z UTC)
| exp || expiration time
|-
|-
| nbf || Not BeFore || date avant laquelle le token ne doit pas être utilisé
| iat || issued at: token creation date
|-
|-
| exp || EXPiration time || date à partir de laquelle le token ne sera plus accepté
| iss || url of the issuer of the token (AWS cognito, AAD)
|}
|}


== Azure ==
{| class="wikitable wtp wtmono1"  
{| class="wikitable wtp wtmono1"  
|-
|-
| acr || Authentication Context class Reference || 0 : l'authentification ne respecte pas la norme ISO/IEC 29115
| acr || Authentication Context class Reference || 0 : l'authentification ne respecte pas la norme ISO/IEC 29115
|-
| aio || ||
|-
|-
| amr || Authentication Method || pwd
| amr || Authentication Method || pwd
Ligne 48 : Ligne 66 :
* 1 : si le client ID et le client secret sont utilisés
* 1 : si le client ID et le client secret sont utilisés
|-
|-
| deviceid || ||  
| oid || Object ID || ID unique de l'utilisateur
|-
|-
| oid || Object ID || ID unique de l'utilisateur
| scp || Scope || user_impersonation
|-
|-
| onprem_sid || ||  
| tid || Tenant ID ||  
|}
 
= [https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#openid-connect-scopes Scopes] =
{| class="wikitable wtp wtmono1"
! scope
! description
|-
|-
| scp || Scope || user_impersonation
| openid || generate an ID token, authorizes the unique-identifier claim {{boxx|sub}}, and the ability to request other scopes
|-
|-
| sub || Subject || autre ID unique de l'utilisateur
| profile || authorizes all user attributes that the app client can read
|-
|-
| tid || Tenant ID ||  
| email || authorizes the user attributes {{boxx|email}} and {{boxx|email_verified}}
|-
|-
| uti || ||  
| phone || authorizes the user attributes {{boxx|phone_number}} and {{boxx|phone_number_verified}}
|}
|}

Dernière version du 7 mars 2024 à 14:36

Description

JSON Web Token

Access token (authorization)

Access tokens are used to inform an API that the bearer of the token has been authorized to access the API and perform a predetermined set of actions specified by the scope. It is used to authorize API access.
The token is generated after a user successfully authenticates and authorizes access.
It does not contain any information about the user itself besides their ID (sub).
It only contains authorization information about which actions the application is allowed to perform at the API (scope).
This is what makes it useful for securing an API, but not for authenticating a user.
An access token is put in the Authorization header of your request, then the API verifies the token and grant access regarding the scope.

token key description
scope list of authorized accesses
sub subject: unique identifier of the user

ID token (authentication)

The ID token is used to retrieve the user’s basic profile information like name, DOB, email, and phone, which is present in the authentication server.
It should not be used to gain access to an API.
OpenID Connect always issues ID tokens along with access tokens to provide compatibility with OAuth.
ID token carries personal information about end-users that authenticate on an OpenID Connect flow.

token key description
aud audience: an id of the application that should consume the token
auth_time date of the authentication
iss url of the issuer of the token (AWS cognito, AAD)
sub subject: unique identifier of the user

Refresh token

The refresh token is used to request new access tokens without user interaction.

Token keys

token key description
auth_time date of the authentication (nb of seconds since Epoch: 1970-01-01T00:00:00Z UTC)
exp expiration time
iat issued at: token creation date
iss url of the issuer of the token (AWS cognito, AAD)

Azure

acr Authentication Context class Reference 0 : l'authentification ne respecte pas la norme ISO/IEC 29115
amr Authentication Method pwd
appid APPlication ID Application ID dans Azure AD Applications
appidacr APPlication Authentication Context class Reference
  • 0 : client publique
  • 1 : si le client ID et le client secret sont utilisés
oid Object ID ID unique de l'utilisateur
scp Scope user_impersonation
tid Tenant ID

Scopes

scope description
openid generate an ID token, authorizes the unique-identifier claim sub, and the ability to request other scopes
profile authorizes all user attributes that the app client can read
email authorizes the user attributes email and email_verified
phone authorizes the user attributes phone_number and phone_number_verified