6 JSON Object Signing and Encryption (JOSE)

This chapter covers

What makes up JavaScript Object Signing and Encryption (JOSE) standard
Creating and verifying JSON Web Signature (JWS) objects
Encrypting and decrypting JSON Web Encryption (JWE) objects
Avoiding common JWS and JWE security pitfalls

We live in a world where data is exchanged between systems implemented in multiple programming languages by multiple teams working for multiple organizations. Systems interoperate using standard networking protocols such as HTTP in a well-defined manner using standard data formats. For example, REST with JSON, SOAP with XML, and gRPC with protocol buffers. Standardized data formats for exchanging encrypted and signed data make interoperability significantly easier.

Security protocols such as X.509 digital certificates, OpenID Connect, OAuth2, SAML, TLS need to exchange encrypted and signed messages. Security protocols rely on standard formats to represent encrypted and signed content. For example, OpenID Connect uses JSON, SAML uses XML, while X.509 certificates are represented using a standardized binary data format.

6.1 The Standards Layer Cake

6.2 The problem solved by JSON Web Algorithms (JWA)

6.3 JSON Web Key (JWK)

6.4 JSON Web Signature (JWS)

6.4.1 JSON Web Object (JWS) Structure

6.4.2 Creating and verifying a JWS object

6.4.3 Implementing credit card refunds scenario with JWS

6.5 JSON Web Encryption (JWE)

6.5.1 JWE Structure

6.5.2 Creating and verifying JWE objects

6.5.3 Implementing credit cards refunds scenario using JWE

6.6 JSON Web Token (JWT)

6.7 Exercises

6.8 Summary