docs/JWT-HOWTO.md
This is a short introduction on the JSON Web Token (JWT) library in Tink.
The JWT standard is defined in RFC 7519. The standard has many options, and many options are rarely used and some options are difficult to use correctly. The goal of Tink's JWT implementation is provide as subset of the JWT standard that we consider safe to use, and fit well into Tink.
These are the limitations of Tink's JWT library:
None value in the alg header.typ, alg and kid. All other headers are
not supported.Tink's JWT library provides primitives for both MAC and signatures. The
interfaces for these primitives are called JwtMac, JwtPublicKeySign and
JwtPublicKeyVerify. As with normal MACs and signatures, symmetric and
asymmetric primitives are kept separate.
Note that even though the JWT library uses the same MAC and signature algorithms
as the normal MAC and signature primitives, the JWT library
uses different key types. This is needed because some metadata (such as alg
and kid) needs to be stored with the key.
If tokens are generated and verified by different entities, then you should use
asymmetric keys with the primitives JwtPublicKeySign and JwtPublicKeyVerify.
The private key is used to generate tokens, and the public key is used to
verify tokens. The algorithms supported by these primitives are: ES256,
ES384, ES512, RS256, RS384, RS512, PS256, PS384 and PS512. Only
use the JwtMac primitive if the tokens are generated and verified by the same
entity. The algorithms supported by this primitive are HS256, HS384 and
HS512.
In Tinkey, all templates that can be used with the JWT primitives
start with JWT_, followed by the algorithm and some additional parameters. For
example JWT_HS256, JWT_ES256, JWT_RS256_3072_F4 or JWT_PS256_3072_F4.
In most cases, JWTs are generated by one party using a private keyset and
verified by another party using the public keyset. This requires that the public
keyset can be exported and shared. Tink allows public keyset to be converted to
and from the standard
JWK Set format, which
most JWT libraries will understand. (Note that while Tink's JsonKeysetWriter
will also produce keysets in JSON format, the output is not a JWK Set and
other libraries will not be able to read it.)
Tink does not support exporting public JWT keysets in any other format. The
reason for this is that other formats do not contain the alg and the kid
metadata to be used in the verification, which makes using them more error-prone
and may make it more difficult to rotate keys.
It is preferable to not just share the public keyset once, but to provide a way to automatically update the public keyset. (If not, rotating to a new key will be very hard.) Often, this is done by publishing the public keyset on a trusted and secured URL. A server that verifies tokens then simply has to periodically re-fetch the public keyset from that URL, for example once per day. To rotate the key, the new public key needs to be added to the public keyset at least one day before it is used to sign tokens. Otherwise the new tokens signed with the new private key will be rejected by servers that still use the old public keyset.
Some implementations re-fetch the public key as soon as a token with an unknown
kid header is received. Implementing this logic is not possible in Tink, since
we don't parse the token before they are verified. We also don't recommend doing
this, as it may result in lots of extra requests to the keyset URL if malicious
tokens with random kid headers are sent.
algThe alg header is always set and verified automatically by the Tink primitives
and cannot be accessed by the user. This makes it easier to rotate to a
different key type, as the user code does not depend on the particular key type
used.
kidThe kid header is set and verified automatically by the Tink primitives. Tink
supports both tokens with and without a kid header. They can be used in
exactly the same way, both support key rotation. Tokens without a kid header
are a bit shorter, but the difference is small. It is usually safer to generate
tokens with the kid header set, as other JWT libraries may require them to be
set.
Tinkey JWT key templates without a _RAW suffix (such as JWT_ES256) generate
tokens with kid header. Templates with _RAW suffix (such as JWT_ES256_RAW)
generate tokens without kid header.
typThe goal of the typ header is to clearly separate different types of token
from each other. Not doing this separation correctly may result in security
issues.
But there are other ways to do this separation, for example by distinguishing
different tokens by the claim names they use, or simply by using different
keyset for different tokens. We therefore don't enforce the usage of the typ
header. But, when a token with a typ header is verified, we require that the
verifier explicitly validates it, or explicitly ignores it. This makes sure that
the validation of this header is not forgotten.
Setting the typ header always to the constant value JWT is not needed.
issThis claim identifies the party that signed the token. This claim is usually a constant value for a given keyset, and globally unique. Often a URI is used to make it unique. Often, identity of the issuer is already clear by the fact that only the owner of the private keyset (which is the issuer) can generate tokens. In these cases, it may not be necessary to set the issuer claim in the token. But if the issuer claim is set, then we require that the verifier explicitly checks it, or explicitly ignores it.
Tink does not support to dynamically look-up a keyset based on the issuer claim, as this may lead to security problems if the lookup is done without proper validation. We require that the verifier know the issuer and the keyset used to verify the token before looking at the token.
audThis claim identifies a list of verifier that may accept this token. If this claim is set the verifier is required to pass its identity as expected audience. We do allow to explicitly ignore this claim, as it may be needed in some cases, for example if verifier's identity changed, and both the old and the new identity need to be accepted.
exp, not-before nbf and issued-at iat claimsIn most use cases, tokens should have an expiration date set. That's why Tink by default expects the user to set an expiration. There are some tokens that don't have expiration dates, see for example RFC 8417. Tink allows this, but requires the user to explicitly pass a parameter without_expiration when creating a token, to make sure that this is on purpose.
The expiration date claim exp is always validated. Tink does not allow
to turn this off, because the content of an expired token could be outdated
or invalid, and should not be used.
The not-before claim nbf is rarly used, but it is supported and will
always be validated.
Tink optionally supports validating that the issued-at claim iat is not in
the pass.
Your application may have other claims that need to be validated. For example,
maybe the token has a sub claim that needs to be in a special format, or it
requires an email claim to be present. Tink can't really help the verifier in
validating these claims, as validating these is different for different types of
tokens. We recommend validating these claims immediately after Tink has
successfully verified the token.
Here are some small examples on how to use Tink's JWT library: