Difference between revisions of "JOSE"

From MgmtWiki
Jump to: navigation, search
(Created page with "==Full Title== JSON Web Token (JWT) -- ==Context== In OAuth 2.0 and other specs from the Open ID Foundation, there was a need for a small packed of identity information...")
 
(Solutions)
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Full Title==
 
==Full Title==
JSON Web Token (JWT) -- 
+
Javascript Object Signing and Encryption (jose)
  
 
==Context==
 
==Context==
Line 9: Line 9:
  
 
==Solutions==
 
==Solutions==
*The RFC definition of the [https://tools.ietf.org/html/rfc7519 JSON Web Token (JWT)]. The abstract from the spec <blockquote>   JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</blockquote>
+
* RFC 7165 Use Cases and Requirements for JSON Object Signing and Encryption (JOSE)
 +
*The IETF Working Group on Javascript Object Signing and Encryption (jose) issued a [https://datatracker.ietf.org/wg/jose/about/ final report].<blockquote>JavaScript Object Notation (JSON) is a text format for the serialization of structured data described in RFC 4627. The JSON format is often used for serializing and transmitting structured data over a network connection. With the increased usage of JSON in protocols in the IETF and elsewhere, there is now a desire to offer security services, which use encryption, digital signatures, message authentication codes (MACs) algorithms, that carry their data in JSON format.</blockquote>
 
*Justin Richer has some suggestions.<ref>Justin Richer, ''Moving On from OAuth 2: A Proposal.'' https://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade</ref>
 
*Justin Richer has some suggestions.<ref>Justin Richer, ''Moving On from OAuth 2: A Proposal.'' https://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade</ref>
  
Line 15: Line 16:
 
<references />
 
<references />
 
===Other reference material===
 
===Other reference material===
#
+
# [https://static.javadoc.io/com.nimbusds/nimbus-jose-jwt/6.0/overview-summary.html#overview.description Nimbus JOSE + JWT v6.0] is an open source java library
 +
# [https://tools.ietf.org/html/rfc7516 JWE - Json Web Encription]
 
# [https://blog.angular-university.io/angular-jwt/ JWT: The Complete Guide to JSON Web Tokens] from the folks that brought you angular.
 
# [https://blog.angular-university.io/angular-jwt/ JWT: The Complete Guide to JSON Web Tokens] from the folks that brought you angular.
 
# RFC 6749 The OAuth 2.0 Authorization Framework specification
 
# RFC 6749 The OAuth 2.0 Authorization Framework specification

Latest revision as of 12:16, 22 October 2019

Full Title

Javascript Object Signing and Encryption (jose)

Context

In OAuth 2.0 and other specs from the Open ID Foundation, there was a need for a small packed of identity information that could be coded and include in a HTTP header.

Problems

  • The existing specs at the time the JWT was created were XML and SAML which were very wording and not amenable to coding in an HTTP header.

Solutions

  • RFC 7165 Use Cases and Requirements for JSON Object Signing and Encryption (JOSE)
  • The IETF Working Group on Javascript Object Signing and Encryption (jose) issued a final report.
    JavaScript Object Notation (JSON) is a text format for the serialization of structured data described in RFC 4627. The JSON format is often used for serializing and transmitting structured data over a network connection. With the increased usage of JSON in protocols in the IETF and elsewhere, there is now a desire to offer security services, which use encryption, digital signatures, message authentication codes (MACs) algorithms, that carry their data in JSON format.
  • Justin Richer has some suggestions.[1]

References

  1. Justin Richer, Moving On from OAuth 2: A Proposal. https://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade

Other reference material

  1. Nimbus JOSE + JWT v6.0 is an open source java library
  2. JWE - Json Web Encription
  3. JWT: The Complete Guide to JSON Web Tokens from the folks that brought you angular.
  4. RFC 6749 The OAuth 2.0 Authorization Framework specification
  5. RFC 8252 OAuth 2.0 for Native Apps Specification