JOSE & JSON Web Token (JWT) Examples

JWS

JSON Web Signature (JWS) secures content, such as text, JSON or binary data, with a digital signature (RSA, EC or EdDSA) or a Hash-based Message Authentication Code (HMAC).

Create / verify JWS with generic payload and compact serialisation:

• JWS with HMAC protection
• JWS with RSA signature
• JWS with EC signature
• JWS with EdDSA / Ed25519 signature (RFC 8037)

JWS with JSON serialisation:

• JWS with JSON serialisation and multiple signatures

JWS with detached and unencoded payload (RFC 7797):

• JWS with unencoded payload

JWS can also secure JSON Web Tokens (JWT):

• JWT with HMAC protection
• JWT with RSA signature
• JWT with EC signature
• JWT with ES256K signature (secp256k), used in Bitcoin and Ethereum
• JWT with EdDSA / Ed25519 signature (RFC 8037)

JWS with Android PIN or biometric prompt to unlock the private key for signing:

• JWS with user authentication required

JWS with the BouncyCastle FIPS provider:

• JWS PS256 with BouncyCastle FIPS

Cloud KMS:

• JWS and JWT with Google Cloud KMS
• JWS and JWT with AWS KMS

JWE

JSON Web Encryption (JWE) is for sending confidential content with integrity protection. Public / private (RSA and EC) as well as symmetric AES and ChaCha encryption are supported.

Create / decrypt JWE examples:

• JWT with RSA encryption
• JWE with shared key
• Signed and encrypted JWT
• JWE with XChaCha20 / Poly 1305 (XC20P)
• JWE encryption with preset Content Encryption Key (CEK)
• JWE to multiple recipients

Framework for minting JWS objects and signed JWTs

Simple framework to aid the creation of JWS objects and signed JWTs:

• Framework for minting JWS objects and signed JWTs

Framework for processing JOSE objects and JWTs

The library includes a framework for handling tokens and messages secured with JOSE, such as JWT-encoded access tokens and OpenID Connect ID tokens. The framework follows the best current practises and was tested with a wide range of use cases.

• Validating JWT access tokens

JSON entity mapping

JSON entities are mapped to their most natural Java class counterparts.

• JSON entity mapping

Parsing JOSE and JWT objects

Parsing objects and tokens of a particular type (unsecured, JWS, JWE):

• Simple JOSE object / JWT parsing

Parsing objects and tokens of any type (unsecured, JWS, JWE):

• Combined parsing of unsecured, JWS and JWE objects
• Combined parsing of unsecured, signed and encrypted JWTs

Keys

JSON Web Key (JWK):

• How to generate a JWK
• Converting between a standard Java key representation and a JWK
• JWK Thumbprints
• Using JWK selectors
• Loading JWK sets from a file, URL or JCA KeyStore
• Enhanced JWK set retrieval with rate-limiting, caching, retrial and health status reporting support
• Parsing a PEM-encoded X.509 certificate or key pairs

X.509 certificates

• X.509 certificate parsing and key extraction
• Generate self-signed X.509 certificate with Java SUN classes

Smart cards and Hardware Security Modules (HSM)

• Signing a JWT with a smart card or HSM
• JWS HS256 with AWS CloudHSM