JWS, JWE, JWA & JWK
JWS (JSON Web Signature)
A JSON Web Token that is signed with a digital signature uses the JSON Web Signature (JWS) specification. A JWS consists of three components, a header, a payload and the digital signature. These three sections are Base64url encoded and separated by periods.
BASE64URLENCODE() + "." + BASE64URLENCODE() + "." + BASE64URLENCODE()Note: JWT assumes base64url encoding/decoding. This is slightly different than regular base64 encoding. Refer to RFC4648 for specifics regarding Base64 vs Base64 URL safe encoding.
JWE (JSON Web Encryption)
JSON Web Encryption (JWE) Using the JSON Web Encryption (JWE) specification a JWT can be encrypted. This can be used for additional confidentiality and security of the token contents (in addition to the security of the token during transport using transport layer security).
JWA (JSON Web Algorithm)
JSON Web Algorithms (JWA) The JWA specification defines a standard list of algorithms the parties can use for signing or encryption. An example of JWA signing algorithms are:
| "alg" Value | Signature Method | Signing Key |
|---|---|---|
| NONE | No Digital Signature | N/A |
| HS256 | HMAC w/ SHA-256 hash | Uses the client secret of the OAuth2 client |
| HS384 | HMAC w/ SHA-384 hash | Uses the client secret of the OAuth2 client |
| HS512 | HMAC w/ SHA-512 hash | Uses the client secret of the OAuth2 client |
| RS256 | RSA PKCS v1.5 w/ SHA-256 hash | Public key available from the JWKS (see below) |
| RS384 | RSA PKCS v1.5 w/ SHA-384 hash | Public key available from the JWKS (see below) |
| RS512 | RSA PKCS v1.5 w/ SHA-512 hash | Public key available from the JWKS (see below) |
| ES256 | ECDSA w/ P-256 curve and SHA-256 hash | Public key available from the JWKS (see below) |
| ES384 | ECDSA w/ P-384 curve and SHA-384 hash | Public key available from the JWKS (see below) |
| ES512 | ECDSA w/ P-521 curve and SHA-512 hash | Public key available from the JWKS (see below) |
Note: There are security implications with accepting tokens signed with the "none" algorithm. A developer should only accept a JWT using the "none" algorithm if the token is secured by other means and the "none" algorithm is expected.
JWA (JSON Web Key)
JSON Web Key (JWK) The JSON Web Key specification defines how the asymmetric keys are represented in the JSON format and introduces a key set collection (JWKS) which provides a way for a provider to publish their signing and encryption keys.
Given the following JSON Web Key Set (JWKS) below (an OpenID Connect 1.0 JWKS), two keys are defined (an ECDSA key and an RSA key):
{
"keys":[
{
"kty":"EC",
"kid":"i0wng",
"use":"sig",
"x":"AXYMGFO6K_R2E3RH42_5YTeGYgYTagLM-v3iaiNlPKFFvTh17CKQL_OKH5pEkj5U8mbel-0R1YrNuraRXtBztcVO",
"y":"AaYuq27czYSrbFQUMo3jVK2hrW8KZ75KyE8dyYS-HOB9vUC4nMvoPGbu2hE_yBTLZLpuUvTOSSv150FLaBPhPLA2",
"crv":"P-521"
},
...
{
"kty":"RSA",
"kid":"i0wnn",
"use":"sig",
"n":"mdrLAp5GR8o5d5qbwWTYqNGuSXHTIE6w9HxV445oMACOWRuwlOGVZeKJQXHM9cs5Dm7iUfNVk4pJBttUxzcnhVCRf
9tr20LJB7xAAqnFtzD7jBHARWbgJYR0p0JYVOA5jVzT9Sc-j4Gs5m8b-am2hKF93kA4fM8oeg18V_xeZf11WWcxnW5YZwX
9kjGBwbK-1tkapIar8K1WrsAsDDZLS_y7Qp0S83fAPgubFGYdST71s-B4bvsjCgl30a2W-je9J6jg2bYxZeJf982dzHFqV
QF7KdF4n5UGFAvNMRZ3xVoV4JzHDg4xe_KJE-gOn-_wlao6R8xWcedZjTmDhqqvUw",
"e":"AQAB"
},
...]
}
Note: For the RSA key, the "n" component is the modulus and the "e" component is the exponent. Both are base64urlencoded values.