What is the message flow, or sequence that enables JWT encryption of the payload?
(opposed to OAuth / OpenIDConnect which doesn't encrypt the payload)
Asked
Active
Viewed 847 times
2 Answers
2
I downvoted your question due to the fact I believe it to be answered by the canonical resources on JWT, https://jwt.io/introduction/.
Happy to reverse that if I missed some aspect of your question, but I do think you just need to check that link - it seems to cover both your initial question and the follow up in comments
iwaseatenbyagrue
- 3,631
- 1
- 12
- 24
1
Short answer: RFC 7516
Longer answer:
- it's sign then encrypt scheme
- encryption is two-step:
- encrypt the payload with random symmetric key
- encrypt the key with RSA
Since it's public key crypto on the latter phase, you need some scheme of PKI to handle public key availability.
-
Do you mind expanding on how the public keys are exchanged? – makerofthings7 Feb 02 '17 at 11:40
-
1Anything you will, it's not the part of JWT scheme itself, hence the PKI remark. – pFarb Feb 09 '17 at 12:00