Overview[1]#

Javascript Object Signing and Encryption (JOSE) is a framework intended to provide a method to securely transfer claims (such as authorization information) between parties.

Javascript Object Signing and Encryption is also referred to as JSON Object Signing and Encryption but the IETF Working Group was Javascript Object Signing and Encryption

The Javascript Object Signing and Encryption framework provides a collection of specifications to serve this purpose. A JSON Web Token (JWT) contains claims that can be used to allow a system to apply access control to resources it owns. One potential use case of the JWT is as the means of authentication and authorization for a system that exposes resources through an OAuth 2.0 model.

JSON Web Token Claims are a set of key/value pairs that provide a target system with sufficient information about the given client to apply the appropriate level of access control to resources under its ownership. Claim names are split into three classes:

  • Registered (IANA)
  • Public
  • Private.
Further details about claims can be found in section 4 of the JWT specification.

JWTs can be represented as either JSON Web Signature (JWS) or a JSON Web Encryption (JWE) objects. Claims within a JWS can be read as they are simply base64-encoded (but carry with them a signature for authentication). Claims in a JWE on the other hand, are encrypted and as such, are entirely opaque to clients using them as their means of authentication and authorization.

Javascript Object Signing and Encryption or JSON Object Signing and Encryption#

The standard provides a general approach to signing and encryption of any content, not necessarily in JSON. However, it is deliberately built on JSON and base64url to be easily usable in web applications. Also, while being used in OpenID Connect, Javascript Object Signing and Encryption can be used as a building block in other protocols.

Javascript Object Signing and Encryption is still an evolving standard consists of several RFCs:

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-9) was last changed on 11-Jul-2017 09:52 by jim