Encrypting Claims JSON using JWE
I am using the Hello World JWE example from wiki. In my case, payload is set to Claims Json, that's the only difference, I use an AES key generated using Java API.
KeyGenerator generator = KeyGenerator.getInstance("AES");
generator.init(128);
SecretKey key = generator.generateKey()
When encrypting, I set the payload to this:
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setPayload(claims.toJson());
jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.A128KW); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);
jwe.setKey(key);
token = jwe.getCompactSerialization();
When decrypting, I get the claims using this code:
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setKey(key);
jwe.setCompactSerialization(token);
JwtClaims claims = JwtClaims.parse(jwe.getPayload());
Is this a valid scenario? It works fine with Java. But, I am having issues with decrypting this token using non-Java libraries (python-jose). Appreciate any help.
Comments (4)
-
repo owner -
reporter Thank you Brian for clarifying this. My requirement is to encrypt sensitive data sent in JWT token. Do you recommend a content enc alg that is widely implemented/supported in libraries? We use AES_128_CBC_HMAC_SHA_256.
-
repo owner I don't know for sure but, yes, I'd imagine AES_128_CBC_HMAC_SHA_256 is the most widely supported content encryption algorithm.
-
repo owner - changed status to invalid
- Log in to comment
As best I can tell, python-jose only supports JWS signed tokens and doesn't support encryption/JWE at all. Which would explain why you can't decrypt using python-jose. A JWT that is a JWE with JSON claims is valid but both parties need to support JWE. A fair number of the JWT/JOSE libraries out there only do JWS and not JWE. Many JWT uses aren't encrypted but just signed (or MAC integrity protected) with JWS - perhaps that'd be sufficient for what you are looking to do? I can only speculate though. More JWT example usage, which may be helpful, can be found at https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples