4

I'm new with JWT, I read the RFC 7519 and alot of Websites about the issue JWE and JWS but I'm a litte bit confuse about this topic.

JWE is encodet and JWS is encodet and signed. The RFC describe "

If the JOSE Header is for a JWS, the JWTis represented asa JWS and the claimsare digitally sigend or MACed, with the JWT Claim Set being the JWS Payload.

If the JOSE HeHeader is for JWE, the JWT is represented as a JWE and the claims are encrypted, with the JWT Claim Set being the plaintext encrytped by the JWE"

How does this work in the JWT.io framework? Is it needed to implement this by myselfe or do i need an additional library??

best regards Michael

michael-mammut
  • 2,595
  • 5
  • 28
  • 46

1 Answers1

3

JWE is encodet and JWS is encodet and signed.

Not exactly, JWE means the JWT is digitally encrypted and JWS means digitally signed.

jwt.io does not support JWE and partially supports JWS (only compact serialization representation with HS256 or RS256 algorithms). There is a list of libraries for several use cases, however libraries that support JWE are not listed.

At Spomky-Labs, we developed a PHP library that supports JWE and JWS with all algorithms listed in the RFC7518.

Community
  • 1
  • 1
Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64
  • Thank you for the response. That means that the claims in the `JWT` header define `JWE` or `JWS`. Under the bottom line both are `JWT`s? is this correct? Because, I read the `RFC` for `JWE` and `JWS` and there are just a description about hte head claims. I ask so much, because I want to understand also the particular details and not a gross abstract. – michael-mammut Jul 19 '16 at 08:21
  • 1
    Both are JWT. The header values just indicate what kind of body you have (`cty`/`typ` headers), how to get that body (is it encrypted or signed) and how to verify its content (`crit`ical claims, `b64` encoded...). – Spomky-Labs Jul 19 '16 at 08:26