Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the difference between JSON Web Signature (JWS) and JSON Web Token (JWT)?

I've been coding a RESTful service in Java. This is what I've understood till now (correct me if i'm wrong):

Token authorization is done using JSON Web Tokens (JWT) which have three parts: the header, the payload, and the secret (shared between the client and the server).

I understood this concept and stumbled over JSON Web Signature (JWS) while reading about JWT.

JWS also is an encoded entity similar to JWT having a header, payload, and a shared secret.

Question: What is the difference between the two concepts, namely JWT and JWS? And if they are alike technically, then what's the difference in their implementation?

This is the first time I'm working with token based auth, so it's possible I've misunderstood the concept altogether.

P.S. I learned about JWS while browsing through the examples on this website.

like image 411
leo Avatar asked Dec 24 '14 18:12

leo


People also ask

What is the difference between JWT and token?

In essence, a JSON Web Token (JWT) is a bearer token. It's a particular implementation which has been specified and standardised. JWT in particular uses cryptography to encode a timestamp and some other parameters. This way, you can check if it's valid by just decrypting it, without hitting a DB.

What are the 3 parts of JWT?

Figure 1 shows that a JWT consists of three parts: a header, payload, and signature. The header typically consists of two parts: the type of the token, which is JWT, and the algorithm that is used, such as HMAC SHA256 or RSA SHA256. It is Base64Url encoded to form the first part of the JWT.

What is JWS used for?

A JSON Web Signature (abbreviated JWS) is an IETF-proposed standard (RFC 7515) for signing arbitrary data. This is used as the basis for a variety of web-based technologies including JSON Web Token.

What is JSON and JWT?

JWT, or JSON Web Token, is an open standard used to share security information between two parties — a client and a server. Each JWT contains encoded JSON objects, including a set of claims. JWTs are signed using a cryptographic algorithm to ensure that the claims cannot be altered after the token is issued.


2 Answers

JWT actually uses JWS for its signature, from the spec's abstract:

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.

So a JWT is a JWS structure with a JSON object as the payload. Some optional keys (or claims) have been defined such as iss, aud, exp etc.

This also means that its integrity protection is not just limited to shared secrets but public/private key cryptography can also be used.

like image 54
Hans Z. Avatar answered Oct 16 '22 07:10

Hans Z.


To put simply, JWT (JSON Web Token) is a way of representing claims which are name-value pairs into a JSON object. JWT spec defines a set of standard claims to be used or transferred between two parties.

On the other hand, JWS (JSON Web Signature) is a mechanism for transferring JWT payload between two parties with guarantee for Integrity. JWS spec defines multiple ways of signing (eg. HMAC or digital signature) the payload and multiple ways of serializing the content to transfer across network.

like image 32
Prosunjit Biswas Avatar answered Oct 16 '22 08:10

Prosunjit Biswas