JWT vs JWS vs JWE - What They Are and When to Use Which

最新推荐文章于 2024-03-08 21:20:44 发布
最新推荐文章于 2024-03-08 21:20:44 发布
阅读量4.9k 收藏
点赞数

  1. https://jwt.io/
  2. https://securedb.co/community/jwt-vs-jws-vs-jwe/

JWT (JSON Web Tokens) is a compact, URL safe artifacts for passing the claims between client and the server. Unlike cookies that make sense in only in the web application context, JWT can be easily used both in web applications and RESTful APIs. They make sense for browser clients as well as command line or thick clients.

 

However, there seems to be bit of confusion between JWT and other two related standards - JWS (JSON Web Signature) and JWE (JSON Web Encryption). JWT vs JWS vs JWE - is a common confusion among the developers. This article tries to explain away the differences and explain when to use which.

JWT vs JWE vs JWS

JWT

Per, JWT RFC

JWTs represent a set of claims as a JSON object that is encoded in a JWS and/or JWE structure.

Source: RFC 7519 https://tools.ietf.org/html/rfc7519

In other words, a JWT claims (i.e., claims represented in JSON format) could be sent either as JWS structure or JWE structure (or both; more on that later) depending on what you are trying to achieve. So, when you are sending JWT to someone, it is essentially either a JWS payload or a JWE payload. JWS payload is more popular for reasons that will become obvious soon.

 

So what are claims? They are simple assertions about the user. As an example, for a user authenticated to payroll system, the claims could be as follows:

{    "userId": "johndoe",    
     "role": "employee",    
     "pay-frequency": "biweekly"
}

Now embedding this inside a JWS, the entire string would look like this:

{    
    "alg":"HS256"
} // End of JOSE Header
. 
{
    "userId": "johndoe",
    "role": "employee",
    "pay-frequency": "biweekly"
} // End of JWT Claims
.
{

} // End of Signature in case of JWS

JWS

As the name suggests, JWS scheme digitally signs the content. The content to be carried here are JWT claims. The server signs the JWT and sends it to the client, say after successful user authentication. The server expects the client to send this JWS back to the server as part of the next request.

 

What if the client we're dealing with is rogue? That's where the signature comes in. Signature bringsIntegrity (remember the ConfidentialityIntegrityAvailability triad?) and Authentication  into the equation. In other words, server can be sure that the JWT claims inside the JWS it just received were not tampered with either by the rogue client or by a man-in-the-middle.

 

Server achieves this by validating the signature of the message to ensure that the claims were not tampered with by the client. If the server detects any kind of tampering, it can take appropriate action (deny the request or block the client etc.).

 

The client can also validate the signature. To do so, the client either needs server's secret (if the JWT signature is HMAC) or needs server's public key (if the JWT was digitally signed).

Note: With JWS, the payload (claims portion) is not encrypted. So, don't send anything sensitive.

JWE

The JWE scheme encrypts the content instead of signing it. The content being encrypted here are JWT claims. JWE, thus brings Confidentiality. The JWE can be signed and enclosed in a JWS. Now, you get both encryption and signature (thus getting ConfidentialityIntegrity, Authentication).

 

How to tell if you have a JWS or JWE?

Let's say you are the client and you receive a JWT. Now, how do you tell if it is a JWS or a JWE? From Section 9 of JWE RFC (https://www.rfc-editor.org/rfc/rfc7516.txt) :

  • The JOSE Header for a JWS can be distinguished from the JOSE Header for a JWE by examining the "alg" (algorithm) Header Parameter value. If the value represents a digital signature or MAC algorithm, or is the value "none", it is for a JWS; if it represents a Key Encryption, Key Wrapping, Direct Key Agreement, Key Agreement with Key Wrapping, or Direct Encryption algorithm, it is for a JWE. (Extracting the "alg" value to examine is straightforward when using the JWS Compact Serialization or the JWE Compact Serialization and may be more difficult when using the JWS JSON Serialization or the JWE JSON Serialization.)
  • The JOSE Header for a JWS can also be distinguished from the JOSE Header for a JWE by determining whether an "enc" (encryption algorithm) member exists. If the "enc" member exists, it is a JWE; otherwise, it is a JWS.

a19576
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
JWTJWEJWS 、JWK 都是什么鬼?还傻傻分不清?
radcb55226的博客
05-03 1249
《一线大厂Java面试题解析+核心总结学习笔记+最新讲解视频+实战项目源码》,点击传送门,即可获取! 一个JWT,应该是如下形式的:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ这些东西看上很凌乱,但是非常紧凑,并且是可打印的主要用于验证签名的真实性。JWT
一文理解 JWTJWSJWE、JWA、JWK、JOSE
m0_46296826的博客
12-03 7690
关于JsonWebToken的专业名词解释 header JWS JWS(Signed JWT)compact序列化主要生成流程: 结果示例 难点:JWS JSON序列化 JWS JSON 序列化形式(多个签名) 扁平化JWS JSON 序列化形式(单个签名) JSON 序列化与 compact序列化的区别:JWS JSON字段含义 payload:base64编码的JWT负载字符串 protected:base64编码的JWS头部字符串,包含的声明受到签名保
关于 JWTJWSJWE
u012503481的博客
07-25 6698
JWTJWSJWE 格式与差异介绍
一文读懂JWT,JWS,JWE
Java笔记虾
11-24 6347
点击上方“后端技术精选”,选择“置顶公众号”技术文章第一时间送达!作者:zh_coderhttps://blog.csdn.net/hellowordapi/article1.JWT是何物,有哪些常用的场景JWT(json web token)是设计一种简洁,安全,无状态的token的实现规范rfc7519,通常用于网络请求方和网络接收方之间的网络请求认证。jwt的常用场景1.1: restful...
JWTJWEJWS的区别
最新发布
2401_83384536的博客
03-08 587
一个JWT,应该是如下形式的:这些东西看上很凌乱,但是非常紧凑,并且是可打印的主要用于验证签名的真实性。
rhonabwy:JWK,JWKS,JWSJWEJWT C库
02-27
Rhonabwy-JWK,JWKS,JWSJWEJWT库 创建,修改,解析,导入或导出(JWK)和JSON Web密钥集(JWKS) 创建,修改,解析,验证或序列化(JWS) 创建,修改,解析,验证或序列化(JWE) 创建,修改,解析,验证或...
jose:JSON对象签名和加密框架(JWTJWSJWE,JWA,JWK,JWKSet等)
02-03
如果您真的喜欢那个图书馆,那么您可以帮我几个忙 :clinking_beer_mugs: ! :warning: :warning: :warning: 我们强烈建议您使用新的... JWSJWE对象支持可以编码为JSON的每个输入: string , array , integer ,
jose:通用的“ JSON Web几乎所有内容”-JWA,JWSJWEJWT,JWK,没有依赖项
03-30
乔瑟通用的“ JSON Web几乎所有内容”-使用本机加密运行时不依赖项的JWA,JWSJWEJWT,JWK实施的规格和功能以下规范由jose实现JSON Web签名(JWS) JSON Web加密(JWE) JSON Web密钥(JWK) JSON Web算法(JWA)...
go-jose:Go中JOSE标准(JWEJWSJWT)的实现
02-04
`go-jose` 是一个用于Go语言的库,实现了JOSE(JSON Object Signing and Encryption,JSON对象签名与加密)标准,包括JWE(JSON Web Encryption,JSON网络加密)、JWS(JSON Web Signature,JSON网络签名)以及JWT...
nimbus-jose-jwt-4.41.1-API文档-中文版.zip
06-26
赠送jar包:nimbus-jose-jwt-4.41.1.jar; 赠送原API文档:nimbus-jose-jwt-4.41.1-javadoc.jar; 赠送源代码:nimbus-jose-jwt-4.41.1-sources.jar; 赠送Maven依赖信息文件:nimbus-jose-jwt-4.41.1.pom; 包含...
JWT最全知识点-动力节点
weixin_49543720的博客
10-20 1372
一个JWT,应该是如下形式的:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ 这些东西看上很凌乱,但是非常紧凑,并且是可打印的主要用于验证签名的真实性。JWT 解决什么问题?JWT的主要目的是在服务端和客户端之间以安全的方式来转移声明。主要的应用场景如下所
JWE:安全传输敏感数据的最佳实践 (中)
weixin_47161314的博客
04-03 737
寻找一下有没有什么突破点,我们分析下,在processDispatchResult之后的方法,都在怎么包装返回错误信息,我们就需要debug进processDispatchResult方法,在报错之前看,能不能找到什么有用信息。就像这样,我们首先将客户端传过来的数据进行解密,然后自己手动赋值到对应的参数上,每次都写这样的加解密过程,未免有些不妥,我们想做到如图上的效果,自动赋值到controller的参数,我们直接请求一下,看结果怎样?这个类**, canRead。
一篇文章带你分清楚JWTJWSJWE
ChaITSimpleLove的博客
09-08 1208
随着移动互联网的兴起,传统基于session/cookie的web网站认证方式转变为了基于OAuth2等开放授权协议的单点登录模式(SSO),相应的基于服务器session+浏览器cookie的Auth手段也发生了转变,Json Web Token出现成为了当前的热门的Token Auth机制。 Json Web Token(JWT) JSON Web Token(JWT)是一个非常轻巧的规范。这个规范允许我们使用 JWT 在两个组织之间传递安全可靠的信息。 官方定义:JSON Web Token (.
面试官: 你知道 JWTJWEJWS 、JWK嘛?
程序员小刘
02-26 1814
这些东西看上很凌乱,但是非常紧凑,并且是可打印的主要用于验证签名的真实性。JWS ,也就是JWT Signature,其结构就是在之前nonsecure JWT的基础上,在头部声明签名算法,并在最后添加上签名。创建签名,是保证jwt不能被他人随意篡改。为了完成签名,除了用到header信息和payload信息外,还需要算法的密钥,也就是secret。当利用非对称加密方法的时候,这里的secret为私钥。为了方便后文的展开,把JWT的密钥或者密钥对,统一称为JSON Web Key,也就是JWK。
C/C++新手入门教程:傻瓜都会的VS2013使用教程,成为程序员的第一步
热门推荐
yx5666的博客
03-29 1万+
1、打开 VS2013 2、新建项目 打开VS2013之后,起始页可以看到新建项目,点击新建项目即可新建。 如果没有看到起始页,也可以点击【文件】=》【新建】=》【项目】也可以创建。 如果大家初学C/C++,可以选择【VisualC++】=>【Win32控制台应用程序】,然后修改 你的项目名称,选择你项目存储的路径; 如果你已经有C/C++基础,需要进阶,学习Win32窗口可以创建【Win32项目】,如果需 要深入学习MFC可以创建【MFC应用程序】 接下来,点击【..
深入了解 Json Web Token 之概念篇
公众号:Java后端
10-19 2722
点击上方Java后端,选择设为星标优质文章,及时送达以下,可能你能够在各大网站上搜到,但是对于JWE 的内容,却鲜有见闻。下文是我读了json web token handle bo...
12. 更高级的通关文牒:JWTJWEJWS
weixin_45946850的博客
05-14 1892
在姜文导演的《让子弹飞》中,葛优饰演的马邦德在开头携带的委任状和我们今天讨论的JWT( JSON Web Token)有异曲同工之妙,JSON Web Token(JWT)是一种开放标准,它定义了一种紧凑且自包含的方式,用于在各方之间安全地传输JSON对象信息。由IETF OAuth工作组开发的RFC 7519文档定义了JWT的结构和处理规则。
JWT的结构, JWT可以篡改吗, JWE听说过吗
12-08
JWT是一种用于身份验证和授权的开放标准,它由三部分组成:头部、载荷和签名。其中头部包含了关于该...因此,JWEJWSJWT之间的关系可以表示为:JWEJWSJWT的扩展,它们分别提供了机密性和真实性/完整性的保证。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值