6 JSON Object Signing and Encryption (JOSE)
This chapter covers
- What makes up JavaScript Object Signing and Encryption (JOSE) standard
- Creating and verifying JSON Web Signature (JWS) objects
- Encrypting and decrypting JSON Web Encryption (JWE) objects
- Avoiding common JWS and JWE security pitfalls
We live in a world where data is exchanged between systems implemented in multiple programming languages by multiple teams working for multiple organizations. Systems interoperate using standard networking protocols such as HTTP in a well-defined manner using standard data formats. For example, REST with JSON, SOAP with XML, and gRPC with protocol buffers. Standardized data formats for exchanging encrypted and signed data make interoperability significantly easier.
Security protocols such as X.509 digital certificates, OpenID Connect, OAuth2, SAML, TLS need to exchange encrypted and signed messages. Security protocols rely on standard formats to represent encrypted and signed content. For example, OpenID Connect uses JSON, SAML uses XML, while X.509 certificates are represented using a standardized binary data format.