JSON Web Encryption (JWE)
- is an encrypted JSON Web Token (JWT)
- while signing a JWT provides a means to establish the authenticity of the JWT contents, encryption provides a way to keep the contents of the JWT unreadable to third parties.
JWE - Encryption Schemes
- shared secret scheme - is analogous to the signing mechanism where all parties know the secret and can both encrypt and decrypt a token.
- public keys scheme - however, works differently. In JWE, all public-key holders can encrypt the data, but only the party holding the private key can decrypt it. What that means is that JWE cannot guarantee the authenticity of the JWT when a public/private key scheme is used. To have the guarantee of authenticity both JWS and JWE should be used. Note that this restriction only applies in situations where consumers are different entities from producers. If the producer of the data and the consumer are the same entity, then a shared secret encrypted JWT provides the same guarantees as an encrypted and signed JWT.
JWE - Structure
in its compact form, a JWE consists of 5 parts separated by dots (.):
- header (encrypted?)
- encrypted-key
- initialization-vector
- encrypted-payload
- authentication-tag/signature
a JWE typically looks like the following:
header.encrypted-key.initialization-vector.encrypted-payload.authentication-tag
use jwt.io Debugger to decode, verify, and generate JWEs