ChatGPT解决这个技术问题 Extra ChatGPT

What is the difference between JSON Web Signature (JWS) and JSON Web Token (JWT)?

I've been coding a RESTful service in Java. This is what I've understood till now (correct me if i'm wrong):

Token authorization is done using JSON Web Tokens (JWT) which have three parts: the header, the payload, and the secret (shared between the client and the server).

I understood this concept and stumbled over JSON Web Signature (JWS) while reading about JWT.

JWS also is an encoded entity similar to JWT having a header, payload, and a shared secret.

Question: What is the difference between the two concepts, namely JWT and JWS? And if they are alike technically, then what's the difference in their implementation?

This is the first time I'm working with token based auth, so it's possible I've misunderstood the concept altogether.

P.S. I learned about JWS while browsing through the examples on this website.

C
Community

JWT actually uses JWS for its signature, from the spec's abstract:

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.

So a JWT is a JWS structure with a JSON object as the payload. Some optional keys (or claims) have been defined such as iss, aud, exp etc.

This also means that its integrity protection is not just limited to shared secrets but public/private key cryptography can also be used.

Okay that makes sense. So where does my user info go, if the payload contains the claim set? Can you show me an example?
please take a look at the examples in Appendix A in the spec here: tools.ietf.org/html/draft-ietf-oauth-json-web-token-32
The claims will have the user info. Here's an example in code with comments talking about what is going on bitbucket.org/b_c/jose4j/wiki/JWT%20Examples
@HansZ. the examples in Appendix A only show JWT. I'm interested in seeing an example of a JWS so I can see the difference between a JWT and a JWS.
C
Community

To put simply, JWT (JSON Web Token) is a way of representing claims which are name-value pairs into a JSON object. JWT spec defines a set of standard claims to be used or transferred between two parties.

On the other hand, JWS (JSON Web Signature) is a mechanism for transferring JWT payload between two parties with guarantee for Integrity. JWS spec defines multiple ways of signing (eg. HMAC or digital signature) the payload and multiple ways of serializing the content to transfer across network.

关注公众号,不定期副业成功案例分享
Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now

HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable.

简体中文 English

Platform

Support

Contact US

Any questions or suggestions during use, you can contact us in the following ways:

Email: huntsbot@xinbeitime.com

Copyright© 2022-2023 www.huntsbot.com 浙ICP备2022000860号-4 All Rights Reserved.