Skip to content

Latest commit

Β 

History

History
143 lines (100 loc) Β· 4.26 KB

File metadata and controls

143 lines (100 loc) Β· 4.26 KB

JWT PROTOCOL (μš”μ•½)

JWT 기반 인증 μ„œλ²„μ˜ μ£Όμš” ν”„λ‘œν† μ½œ μ •μ˜ 및 μ—λŸ¬ 응닡 정리 λ¬Έμ„œμž…λ‹ˆλ‹€.
λͺ¨λ“  μš”μ²­/응닡 본문은 KISA SEED CBC μ•”ν˜Έν™” ν›„ Base64둜 전솑(CBC_ENC) / μˆ˜μ‹  μ‹œ λ³΅ν˜Έν™”(CBC_DEC)ν•©λ‹ˆλ‹€.


πŸ“‘ λͺ©μ°¨

  1. 둜그인 (Token λ°œκΈ‰)
  2. 토큰 검증 (Introspect / JWKS)
  3. μž¬λ°œν–‰ μš”μ²­ (Reissue)
  4. λ‘œκ·Έμ•„μ›ƒ / 토큰 폐기 (Revoke)
  5. 곡톡 인증 헀더 μ—λŸ¬

1) 둜그인 (Token λ°œκΈ‰)

  • POST /oauth2/token

  • Body μ˜ˆμ‹œ

    CBC_ENC(grant_type=client_credentials[&scope=read]&memid=<νšŒμ›μ•„μ΄λ””>&tmpkey=<μž„μ‹œλ°œκΈ‰ν‚€>)
    
  • 성곡 응닡

CBC_DEC({
  "access_token": "...",
  "token_type": "Bearer",
  "expires_in": 599
})
  • μ—λŸ¬
// grant_type λˆ„λ½ β†’ 400
{"error":"invalid_client","description":"Missing or invalid parameter: grant_type"}
// 잘λͺ»λœ grant_type β†’ 400
{"error":"unsupported_grant_type","description":"Unsupported grant_type: credentials"}
// memid/tmpkey λˆ„λ½ β†’ 400
{"error":"invalid_request","description":"Missing or invalid parameter: {νŠΉμ •ν‚€}"}
// κ°’ 뢈일치/만료 β†’ 401
{"error":"user_not_allowed","description":"User is not allowed to obtain a token."}

2) 토큰 검증 (Introspect / JWKS)

  • POST /oauth2/introspect

    • Body:

      CBC_ENC(token={access_token}[&token_type_hint=access_token])
      
  • JWKS: /oauth2/jwks
    (μ„œλ²„ 검증 μœ„μž„ / public key둜 직접 검증 κ°€λŠ₯)

  • 성곡 응닡

200 OK
{"active":true,"sub":"textbook","aud":["textbook"],"token_type":"Bearer","client_id":"textbook", ...}
  • μ—λŸ¬
// token λˆ„λ½ β†’ 400
{"error":"invalid_request","description":"Missing or invalid parameter: token"}
// λΉ„ν™œμ„±/만료 토큰 β†’ 401
{"error":"invalid_token","description":"Token is inactive or expired."}

3) μž¬λ°œν–‰ μš”μ²­ (Reissue)

  • POST /oauth2/token

  • Body μ˜ˆμ‹œ

    CBC_ENC(grant_type=client_credentials[&scope=read]&memid=<νšŒμ›μ•„μ΄λ””>&tmpkey=<μž„μ‹œλ°œκΈ‰ν‚€>)
    
  • 성곡 응닡

CBC_DEC({
  "access_token": "new key",
  "token_type": "Bearer",
  "expires_in": 600
})
  • μ—λŸ¬ (둜그인과 동일 κ·œμΉ™)
{"error":"invalid_client","description":"Missing or invalid parameter: grant_type"}
{"error":"unsupported_grant_type","description":"Unsupported grant_type: credentials"}
{"error":"invalid_request","description":"Missing or invalid parameter: {νŠΉμ •ν‚€}"}
{"error":"user_not_allowed","description":"User is not allowed to obtain a token."}

4) λ‘œκ·Έμ•„μ›ƒ / 토큰 폐기 (Revoke)

  • POST /oauth2/revoke

  • Body μ˜ˆμ‹œ

    CBC_ENC(token={access_token}[&token_type_hint=access_token])
    
  • 성곡 응닡 200 OK (토큰 파기 성곡 / InactiveΒ·μ‘΄μž¬ν•˜μ§€ μ•ŠλŠ” 토큰이어도 200 – RFC 7009 μ€€μˆ˜)

  • μ—λŸ¬

 // token λˆ„λ½ β†’ 400
{"error":"invalid_request","description":"Missing or invalid parameter: token"}

5) 곡톡 인증 헀더 μ—λŸ¬

// 헀더 λˆ„λ½ β†’ 401
{"error":"invalid_client","description":"Missing or invalid header: Authorization"}
// Basic 포맷 였λ₯˜ β†’ 400
{"error":"invalid_request","description":"Invalid Authorization header format. Missing client_id and/or client_secret."}
// Base64 λ””μ½”λ“œ 였λ₯˜ β†’ 400
{"error":"invalid_request","description":"Invalid Authorization header format. Failed to decode credentials."}
// ClientId 뢈일치 β†’ 401
{"error":"invalid_client","description":"Client authentication failed: client_id"}
// ClientSecret 뢈일치 β†’ 401
{"error":"invalid_client","description":"Client authentication failed: client_secret"}