...

JOSE is a set of high quality specifications that specify how data payloads can be signed/validated and/or encrypted/decrypted with the cryptographic properties set in the JSON-formatted metadata (headers). The data to be secured can be in JSON or some other format (plain text, XML, binary data).

...

Additionally, JWT (JSON Web Token), while technically being not part of JOSE, is often used as an input material to JWS and JWE processors, especially in OAuth2 flows (example: OAuth2 access tokens can be represented internally as JWT, OpenIdConnect IdToken and UserInfo are effectively JWTs). JWT describes how a set of claims in a JSON format can be either JWS-signed and/or JWE-enctypted. 

JWA Algorithms

All JOSE signature and encryption algorithms are grouped and described in the JWA (JSON Web Algorithms (JWA) specification.

The algorithms are split into 3 categories: signature algorithms (HMAC, RSA, Elliptic Curve), algorithms for supporting the encryption of content encryption keys (RSA-OAEP, AES Key Wrap, etc), and algorithms for encrypting the actual content (AES GCM, etc).

All JWS and JWE algorithms process not only the actual data but also the meta-data (the algorithm properties) thus ensuring the algorithm properties All JWS and JWE algorithms process the meta-data (the algorithm properties) and the actual data thus also ensuring the algorithm properties are integrity-protected, additionally JWE algorithms produce authentication tags which ensure the already encrypted content won't be manipulated.

...

CXF offers the utility support for working with JWA algorithms in this package.

Typically one would supply an algorithm property in a type-safe way either to JWS or JWE processor, for example,  SignatureAlgorithm.HS256 (HMAC signature) for JWS, KeyAlgorithm.A256KW (key encryption wrap) plus ContentAlgorithm.A256GCM for JWE. Each enum has methods for checking a key size, JWA and Java JCA algorithm names.

JWK Keys

JWK (JSON Web Key (JWK) is a JSON document describing the cryptographic key properties. JWKs are very flexible and one can expect JWKs becoming one of the major mechanisms for representing and storing cryptographic keys. While one does not have to use a represent the keys as JWK in order to sign or encrypt the document and rely on Java JCA secret and asymmetric key representations keys instead, JWK is a preferred representation of JWS/JWE keyssignature or encryption keys in JOSE.

For example:

{
   "kty":"oct",
   "k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",
   "kid":"Secret HMAC key"
}

...

A collection of JWK keys is called a JWK Key Set .which is represented as JSON array of JWKs.

CXF offers a utility support for reading and writing JWK keys and key sets and for working with the encrypted inlined and standalone JWK stores in this package.

For example, a key set containing public JWK keys can be seen here and referred to from the configuration properties. The private (test) key set can be represented in a clear form, though most likely you'd want a private key set encrypted and referred to like this. 

One can inline the encrypted key or the key set directly in the configuration propertiesCXF offers a utility support for reading and writing JWK keys and key sets and for working with the encrypted inlined and standalone JWK stores in this package.For example, here is how an encrypted inlined single JWK key is storedinlined. Similarly, here is how a collection of keys is inlined. In other cases users can refer to a file containing the set of keys.

CXF assumes that the JWK keys have been encrypted has been encrypted if a password provider is available in scope, it is typically registered with JAX-RS endpoints. The encryption is done with a password based PBES2 algorithm. 

Support for the pluggable strategies for loading JWKs is on the map.

JWS Signature

JWS (JSON Web Signature (JWS) document describes how a document content can be signed. For example, Appendix A1 shows how the content can be signed with a MAC key.

...

CXF ships JWS related classes in this package and offers a support for all of JWA signature algorithms.

...

Many more examples will be added here.

JWE Encryption

JWE (JSON Web Signature (JWEEncryption) document describes how a document content, and, when applicable, a content encryption key, can be encrypted. For example, Appendix A1 shows how the content can be encrypted

...

CXF ships JWE related classes in this package and offers a support for all of JWA encryption algorithms.

...

Many more examples will be added here.

JSON Web

...

Token

JWT (JSON Web Token (JWT) is a collection of claims in JSON format. It offers a standard JSON container for representing various properties or claims.

JWT can be signed and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure. 

JWT has been primarily used in OAuth2 applications to represent self-contained access tokens but can also be used in other contexts.

CXF offers an initial JWT support in this package.

JOSE JAX-RS Filters

JWE

JWS

Linking JWT authentications to JWS or JWE content

...

 

Add more...

JOSE JAX-RS Filters

JWE

...

Configuration

Configuration that applies to both encryption and signature

...

Encrypting JWK stores

JAX-RS filters can read the keys from encrypted JWK stores. The stores are encrypted inline or in separate storages (files). By default the filters expect that the stores has been encrypted using

a password based PBES2 algorithm. The filters will check a registered password provider. 

OAuth2 and Jose

CXF OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens. Authorization code JOSE requests can already be processed. Utility support for validating JWT-based access tokens is provided.

...