JOSE

From MgmtWiki
Jump to: navigation, search

Full Title

Javascript Object Signing and Encryption (jose)

Context

In OAuth 2.0 and other specs from the Open ID Foundation, there was a need for a small packed of identity information that could be coded and include in a HTTP header.

Problems

  • The existing specs at the time the JWT was created were XML and SAML which were very wording and not amenable to coding in an HTTP header.

Solutions

  • RFC 7165 Use Cases and Requirements for JSON Object Signing and Encryption (JOSE)
  • The IETF Working Group on Javascript Object Signing and Encryption (jose) issued a final report.
    JavaScript Object Notation (JSON) is a text format for the serialization of structured data described in RFC 4627. The JSON format is often used for serializing and transmitting structured data over a network connection. With the increased usage of JSON in protocols in the IETF and elsewhere, there is now a desire to offer security services, which use encryption, digital signatures, message authentication codes (MACs) algorithms, that carry their data in JSON format.
  • Justin Richer has some suggestions.[1]

References

  1. Justin Richer, Moving On from OAuth 2: A Proposal. https://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade

Other reference material

  1. Nimbus JOSE + JWT v6.0 is an open source java library
  2. JWE - Json Web Encription
  3. JWT: The Complete Guide to JSON Web Tokens from the folks that brought you angular.
  4. RFC 6749 The OAuth 2.0 Authorization Framework specification
  5. RFC 8252 OAuth 2.0 for Native Apps Specification