THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Table of Contents |
|---|
Introduction
...
Additionally, JWT (JSON Web Token), while technically being not part of JOSE, is often used as an input material to JWS and JWE processors, especially in OAuth2 flows (example: OAuth2 access tokens can be represented internally as JWT, OpenIdConnect IdToken and UserInfo are effectively JWTs). JWT describes how a set of claims in a JSON format can be either JWS-signed or JWE-enctypted.
...
The algorithms are split into 3 categories: signature algorithms (MACHMAC, RSRSA, ESElliptic Curve), algorithms for supporting the encryption of content encryption keys (RSA-OAEP, Aes AES Key Wrap, etc), and algorithms for encrypting the actual content (AES GCM, etc).
All encryption JWS and JWE algorithms process the meta-data (the algorithm properties) and the actual data thus also ensuring the algorithm properties are integrity-protected, additionally JWE algorithms produce authentication tags which provide ensure the protection against manipulating the already encrypted content won't be manipulated.
Please refer to this the specification to get all the information needed (with the follow up links to the corresponding RFC when applicable) about a particular signature or encryption algorithm: the properties, recommended key sizes, other security considerations related to all of or some specific algorithms. CXF JOSE code already enforces a number of the recommended constraints.
CXF offers the utility support for working with JWA algorithms in this package.
JWK Keys
Typically one would supply an algorithm property in a type-safe way either to JWS or JWE processor, for example, SignatureAlgorithm.HS256 (HMAC signature) for JWS, KeyAlgorithm.A256KW (key encryption wrap) plus ContentAlgorithm.A256GCM for JWE.
JWK Keys
JSON Web Key (JWK) is a JSON document describing JSON Web Key (JWK) is a JSON document describing the cryptographic key properties. JWKs are very flexible and light-weight (in most cases) and one can expect JWKs becoming one of the major mechanisms for representing and storing cryptographic keys. What is important is that While one does not have to use a JWK in order to sign or encrypt the document , working directly with and rely on Java JCA secret and asymmetric key representations is sufficient but JWK is a first class citizen in JOSE with all of JOSE examples using JWK representations.instead, JWK is a preferred representation of JWS/JWE keys.
For example:
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"kty":"oct",
"k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",
"kid":"Secret HMAC key"
} |
or
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"kty":"RSA",
"n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
"e":"AQAB",
"alg":"RS256",
"kid":"Public RSA Key"} |
A collection of JWK keys is called a JWK Key Set.Here is
CXF offers a utility support for reading and writing JWK keys and key sets and for working with the encrypted inlined and standalone JWK stores in this package. For example, here is how an encrypted inlined JWK key is stored. Similarly, here is how a collection of keys is inlined. In other cases users can refer to a file containing the set of keys.
Support for the pluggable strategies for loading JWKs is on the map.
...