JSON Web Token (JWT) Claim Çeşitleri

Claim Nedir
Claim bilgisi, payload yani 2. kısım içinde taşınır.  Açıklaması şöyle.

Claims are statements about the entity, which is typically a user, and any additional data. There are three types of claims:

- Registered claims: a set of recommended claims defined in the RFC 7519 spec. Some examples are iss, exp, and aud.

- Public claims: user-defined claims that can be defined by the token users, but should conform to naming conventions to avoid collision (should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace) because they are in the public namespace.

- Private claims: arbitrary custom claims that are used to share information between parties that agree on them (and don’t have to worry about name collision because they’re private).

Claim için zaman damgası olabilir. Açıklaması şöyle.

have a payload that contains the claim(s) (equipped with a timestamp)

1. Registered veya Reserved Claim Tipleri
Açıklaması şöyle.

There are the claims which are registered in IANA "JSON Web Token Claims" registry. These claims are not mandatory to use or to be implement in all cases, rather they are registered to provide a starting point in for a set of useful, interoperable claims.

Örnek
Açıklaması şöyle.

iss is who issued the token. This is a registered claim.
exp is when the token expired. Also a registered claim.
sub is the subject. This is usually a user identifier. Also a registered claim.
scope is a custom, private claim that is commonly used with OAuth 2.0.

Açıklaması şöyle.

1. iss (issuer): The "iss" (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. The "iss" value is a case-sensitive string containing a String or URI value. Use of this claim is OPTIONAL.

2. sub (subject): This claim represents the subject of JWT (the user). The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific. The "sub" value is a case-sensitive string containing a String or URI value. Use of this claim is OPTIONAL.

3. aud (audience): This claim represents the intended recipient of the JWT. If the party processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case- sensitive strings, each containing a String or URI value. Use of this claim is OPTIONAL.

4. exp (expiration): The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim. Usually the value is kept short preferably in seconds. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

5. nbf (not before): The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

6. iat (issued at): The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

7. jti (JWT ID): The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case-sensitive string. Use of this claim is OPTIONAL.

2. Public Claim Tipleri
Kendi isteğimize göre hazırlanır. Açıklaması şöyle.

These claim names can be defined at will by those using JWTs. However, in order to prevent collisions, any new Claim Name should either be registered in the IANA "JSON Web Token Claims" registry or be a Public Name: a value that contains a Collision-Resistant Name.

In each case, the definer of the name or value needs to take reasonable precautions to make sure they are in control of the part of the namespace they use to define the Claim Name.

3. Private Claim Tipleri
Sistemler arasında gidip gelmesi için hazırlanır. Açıklaması şöyle.

This could be thought of as analogous to creating private custom claims to share information specific to your application. These could be any names that are not Registered Claims Names or Public Claims Names. Unlike Public Claim Names, Private Claim Names are subject to collision and should be used with caution.

scope Claim Nedir

Hangi kaynağa izin verildiğini belirtir. Bu kaynağa ne tür izin verildiği de belirtilir. Örneğin "read:contacts" gibi. Açıklaması şöyle. 

The scope claim is commonly used to provide authorization information. For example, letting the application know what part of the application the user is authorized to access. This, of course, does not relieve the server of its duty to perform its own authorization checks. A general principle of web application security is redundancy. The client app provides one checkpoint, the server another.

Açıklaması şöyle.  Scope sayesinde kaynağın her türlü bilgisine değil de sadece belirtilen kısmına erişim verilir.

Scopes define the permissions that determine what data of a user an application can access. For instance, if a 3rd party application wants to recommend movies to a user, it requires access to the movies the user has watched (e.g., “watched_movies”). This is where scopes come into play. This 3rd party application can access user information only to the extent the user has permitted.

This process ensures the safety of user information. Instead of accessing all of a user’s data, the 3rd party can access user data within the permissions granted.

Authorities Nedir

Açıklaması şöyle.  

Authorities represent the actions (that one has permission for) a user can perform within an application. Compared to scopes, they are usually more detailed and specify which actions can be carried out within a specific application.

For example, a user can add a movie to their favorites (e.g., “user”). The permissions to perform this action are called authorities.

SpringSecurity JWT token'ı parse ederken “scope” veya “scp” satırlarını okur ve bunları bir string listesine çevirir. Listedeki her eleman için ‘SCOPE_’ ön ekini ekler ve SimpleGrantedAuthority nesnesi yaratır.