Difference between revisions of "JOSE"

From MgmtWiki
Jump to: navigation, search
(Full Title)
(Solutions)
Line 9: Line 9:
  
 
==Solutions==
 
==Solutions==
*The RFC definition of the [https://tools.ietf.org/html/rfc7519 JSON Web Token (JWT)]. The abstract from the spec <blockquote>  JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.  The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</blockquote>
+
*The IETF Working Group on Javascript Object Signing and Encryption (jose) issued a [https://datatracker.ietf.org/wg/jose/about/ final report].
 
*Justin Richer has some suggestions.<ref>Justin Richer, ''Moving On from OAuth 2: A Proposal.'' https://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade</ref>
 
*Justin Richer has some suggestions.<ref>Justin Richer, ''Moving On from OAuth 2: A Proposal.'' https://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade</ref>
  

Revision as of 10:47, 22 October 2019

Full Title

Javascript Object Signing and Encryption (jose)

Context

In OAuth 2.0 and other specs from the Open ID Foundation, there was a need for a small packed of identity information that could be coded and include in a HTTP header.

Problems

  • The existing specs at the time the JWT was created were XML and SAML which were very wording and not amenable to coding in an HTTP header.

Solutions

  • The IETF Working Group on Javascript Object Signing and Encryption (jose) issued a final report.
  • Justin Richer has some suggestions.[1]

References

  1. Justin Richer, Moving On from OAuth 2: A Proposal. https://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade

Other reference material

  1. Nimbus JOSE + JWT v6.0 is an open source java library
  2. JWE - Json Web Encription
  3. JWT: The Complete Guide to JSON Web Tokens from the folks that brought you angular.
  4. RFC 6749 The OAuth 2.0 Authorization Framework specification
  5. RFC 8252 OAuth 2.0 for Native Apps Specification