JWS – WindowsTechs.com

Could the signature of a JWT/JWS be used as a globally unique identifier?

Posted on June 15, 2023 by Travis Reeder

In other words, is a signature on a JWT or JWS always unique?

Continue reading Could the signature of a JWT/JWS be used as a globally unique identifier?→

How to prevent replay attacks with JWE?

Posted on November 2, 2022 by Liam Kelly

I am used to using JWTs so when I needed the same behavior but with no plaintext user data I looked at JWE. JWE is very similar to JWT; however, I did not see the exp, nbf or iat fields which limit the time the message is valid for (preven… Continue reading How to prevent replay attacks with JWE?→

Does send HTTP requests as signed tokens make sense when mutual TLS is used?

Posted on August 27, 2022 by Szyszka947

When we use mTLS, then client and server are authenticated. In this scenario, does it make any sense to send HTTP requests in signed tokens (like JWS)?

Continue reading Does send HTTP requests as signed tokens make sense when mutual TLS is used?→

Azure AD has an "issuer" attribute on JWK keys in the JWK Set but Google ID does not, what is its purpose?

Posted on August 9, 2022 by RubenLaguna

The Google Identity openid discovery url https://accounts.google.com/.well-known/openid-configuration, has a .jwks_uri of https://www.googleapis.com/oauth2/v3/certs. If we look at the first key in that JWK Set
curl -s https://www.googleapi… Continue reading Azure AD has an "issuer" attribute on JWK keys in the JWK Set but Google ID does not, what is its purpose?→

JWT forgery by an internal attacker

Posted on July 19, 2022 by No name

I have an authorization server that generate JWTs, the JWTs are signed with a private key (RS256) stored on a hardware security module. The tokens are generated only after a successful authentication.
What measures can be taken to prevent … Continue reading JWT forgery by an internal attacker→

Book recommendation for x.509

Posted on October 29, 2021 by A39-A20

I am looking for information on signatures/certificates (x.509, JWS etc) and how the different standards tie together.
Books, blogs, anything.

Continue reading Book recommendation for x.509→

Verification of certificate trustworthiness (e.g. in JWS and Client Certificate)

Posted on May 4, 2021 by user2530062

I am comparing implementation complexity of JWS and Client Certificate and troubleshooting Client Certificate at the same time.
I understand that both methods require to prove that the certificate (x5c in JWS or the actual Client Certifica… Continue reading Verification of certificate trustworthiness (e.g. in JWS and Client Certificate)→

JWE and the key management modes

Posted on January 26, 2021 by whowhenhow

Wrapping my head around JWE and the key management modes.
The point of JWE is to prevent third parties to see/change the token. Only the token issuer and resource server should be able to use it. (Is this correct?)
To encrypt the token’s p… Continue reading JWE and the key management modes→

Signing HTTP requests with JWS

Posted on June 2, 2020 by Michal Charemza

Looking over the spec for JSON Web Signature (JWS), I realise that it doesn’t seem to specify anything that is HTTP-specific in terms of the payload. Specifically, signing HTTP headers and bodies (say, so a server can verify certain HTTP h… Continue reading Signing HTTP requests with JWS→

JSON Libraries Patched Against Invalid Curve Crypto Attack

Posted on March 15, 2017 by Michael Mimoso

JSON libraries using the JWE specification to create, sign and encrypt access tokens have been patched against an attack that allows for the recovery of a private key. Continue reading JSON Libraries Patched Against Invalid Curve Crypto Attack→