{"componentChunkName":"component---src-templates-tag-js","path":"/tags/json/","result":{"data":{"site":{"siteMetadata":{"title":"LoginRadius Blog"}},"allMarkdownRemark":{"totalCount":1,"edges":[{"node":{"fields":{"slug":"/engineering/guest-post/what-are-jwt-jws-jwe-jwk-jwa/"},"html":"

JSON (JavaScript Object Notation) is a text-based, language-independent format that is easily understandable by humans and machines.

\n

JOSE (Javascript Object Signing and Encryption) is a framework used to facilitate the secure transfer of claims between any two parties. Its specifications provide a general approach to encryption of any content, not necessarily in JSON. However, it is built on JSON for easy use in web applications. Let's explore some of these specifications.

\n

JWT — JSON Web Token

\n

JWT is a standard mechanism used for authentication. It is compact and URL-safe to represent the claims to be transferred between two parties. Claims are a set of key/value pairs that provide a target system with information about a client to apply an appropriate level of access control to its resources. Claim names could be Registered (IANA), Public, or Private. Some registered claim names are:

\n\n

Structure

\n

JWT is mainly composed of three parts: header, payload, and signature that are Base64 URL-encoded.

\n\n
[header].[payload].[signature]
\n

Here's a simple JWT example.

\n

JSON Web Token:

\n

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MTIzNDU2Nzg5LCJuYW1lIjoiSm9zZXBoIn0.OpOSSw7e485LOP5PrzScxHb7SR6sAOMRckfFwi4rp7o

\n
header:\n{\n  "alg" : "HS256",                      Header\n                            --------------------------------->  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\n  "typ" : "JWT"\n}\n\nPayload:\n{\n  "id" : 123456789,                     Payload\n                            --------------------------------->  eyJpZCI6MTIzNDU2Nzg5LCJuYW1lIjoiSm9zZXBoIn0\n  "name" : "Joseph"\n}\n                                                Signature\nOpOSSw7e485LOP5PrzScxHb7SR6sAOMRckfFwi4rp7o  ---------------->  OpOSSw7e485LOP5PrzScxHb7SR6sAOMRckfFwi4rp7o
\n

This shows the decoded JSON Web Token. In the deserialized form, JWT contains only the header and the payload as plain JSON objects.

\n

JWS — JSON Web Signature

\n

JWS is used to represent content secured with digital signatures or Hash-based Message Authentication Codes (HMACs) with the help of JSON data structures. It cryptographically secures a JWS Header and JWS Payload with a JWS Signature. The encoded strings of these three are concatenated using dots similar to JWT. The identifiers and algorithms used are specified in the JSON Web Algorithms specification.

\n

The JWS Header MUST contain an alg parameter, as it uses the algorithm to encode the JWS Header and the JWS Payload to produce the JWS Signature. Some of the commonly used algorithms to sign the JWS Header and Payload are:

\n\n

JWS example:

\n
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 ----------------> JWS Header\n\neyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ --------------> JWS Payload
\n

It has an Encoded JWS Header followed by an Encoded JWS Payload separated by a '.'. This is the JWS Signing input which, on signing with the HMAC SHA-256 algorithm and base64url encoding, gives the Encoded JWS Signature value:

\n
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
\n

On concatenation:

\n
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
\n

Learn more about JWS here

\n

JWE — JSON Web Encryption

\n

JSON Web Encryption enables encrypting a token so that only the intended recipient can read it. It standardizes the way to represent the encoded data in a JSON data structure. Representation of the encrypted payload may be by JWE compact serialization or JWE JSON serialization.

\n

Structure

\n

The JWE compact serialization form has five main components:

\n
    \n
  1. JOSE header
    2. \n
  2. JWE Encrypted Key
    3. \n
  3. JWE initialization vector
    4. \n
  4. JWE Ciphertext
    5. \n
  5. JWE Authentication Tag
    6. \n
\n

All these components are base64url-encoded and are concatenated using dots (.).

\n\n
 "header":\n{\n    "alg" : "RSA-OAEP",                --------------------> For content encryption key\n\n    "enc" : "A256GCM"                  --------------------> For content encryption algorithm\n},\n\n "encrypted_key" : "qtF60gW8O8cXKiYyDsBPX8OL0GQfhOxwGWUmYtHOds7FJWTNoSFnv5E6A_Bgn_2W"\n\n\n"iv" : "HRhA5nn8HLsvYf8F-BzQew",       --------------------> initialization vector\n\n"ciphertext" : "ai5j5Kk43skqPLwR0Cu1ZIyWOTUpLFKCN5cuZzxHdp0eXQjYLGpj8jYvU8yTu9rwZQeN9EY0_81hQHXEzMQgfCsRm0HXjcEwXInywYcVLUls8Yik",\n\n"tag" : "thh69dp0Pz73kycQ"             --------------------> Authentication tag\n}
\n

Learn more about JWE here

\n

JWK — JSON Web Key

\n

JWK is a JSON structure representing a set of public keys as a JSON object using the Elliptic Curve or RSA algorithms. Public key representations can help verify the signature with the corresponding private key.

\n

Structure

\n

JWK consists of a JWK Container Object and an array of JWK Key Objects.

\n\n
{\n"alg":"RSA",\n\n"mod": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs\ntn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI\nSD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",\n\n"exp":"AQAB",\n\n"kid":"2011-04-29"\n}
\n

It provides a Key ID for matching.

\n

JWA — JSON Web Algorithms

\n

The JWA specification focuses mainly on enumerating the algorithms necessary for JWS, JWK AND JWE. It also describes the operations that are specific to these algorithms and key types.

\n

Algorithms for JWS: These algorithms are used to sign the contents of the JWS Header and the JWS Payload

\n
\n \"JWS\n
Source: ietf-jose-json-web-algorithms
\n
\n

Algorithms for JWE These algorithms encrypt the Content Encryption Key (CEK) and produce the JWE Encrypted Key

\n
\n \"JWE\n
Source: ietf-jose-json-web-algorithms
\n
\n

Algorithms for JWK: JWA specifies a set of algorithm families to be used for the public keys represented by JWK

\n
\n \n
Source: ietf-jose-json-web-algorithms
\n
\n

Learn more about JWA here.

\n

Conclusion

\n

The IETF JSON Object Signing and Encryption (JOSE) working group was chartered to develop a secure object format based on JSON and simplify adding object-based security features to internet applications.

\n

The basic requirements for these object formats are confidentiality and integrity mechanisms encoded in JSON. JWT, JWS, JWE, JWK, and JWA are the JOSE working group items intended to describe these object formats.

\n

The JOSE specifications have many use cases and are sought out for integrity protection, encryption, security tokens, OAuth, web cryptography, etc. Check out this site to know more about JOSE use cases.

\n

Want to learn how to use JWT for authentication in your apps? Check out this informational JWT authentication guide.

\n

References:

\n\n","frontmatter":{"date":"November 24, 2021","updated_date":null,"title":"What are JWT, JWS, JWE, JWK, and JWA?","tags":["JSON","Encryption"],"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/7898fa94ca50b14a5edee22b6dd76018/58556/coverImage.webp","srcSet":"/static/7898fa94ca50b14a5edee22b6dd76018/61e93/coverImage.webp 200w,\n/static/7898fa94ca50b14a5edee22b6dd76018/1f5c5/coverImage.webp 400w,\n/static/7898fa94ca50b14a5edee22b6dd76018/58556/coverImage.webp 800w,\n/static/7898fa94ca50b14a5edee22b6dd76018/99238/coverImage.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Yashesvinee V","github":"Yashesvinee","avatar":null}}}}]}},"pageContext":{"tag":"JSON"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}