Sephster
commented
2 years ago The JWTs we issue aren't encrypted. They are just signed so I don't think we need to comply with that section of the RFC:
Support for encrypted JWTs is OPTIONAL. If an implementation provides encryption capabilities, of the encryption algorithms specified in [JWA], only RSAES-PKCS1-v1_5 with 2048-bit keys ("RSA1_5"), AES Key Wrap with 128- and 256-bit keys ("A128KW" and "A256KW"), and the composite authenticated encryption algorithm using AES-CBC and HMAC SHA-2 ("A128CBC-HS256" and "A256CBC-HS512") MUST be implemented by conforming implementations. It is RECOMMENDED that implementations also support using Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) to agree upon a key used to wrap the Content Encryption Key ("ECDH-ES+A128KW" and "ECDH-ES+A256KW") and AES in Galois/Counter Mode (GCM) with 128- and 256-bit keys ("A128GCM" and "A256GCM"). Support for other algorithms and key sizes is OPTIONAL.
I don't think the JWT library we use currently supports JWE but should this change, I will of course take a second look at this. Happy to discuss further if you have further comments. Thank you for getting in touch regarding this
asgeirn
lcobucci
JWA section 3.3 states:
JWA is stated as an implementation requirement in RFC 7519, section 8.
As a consequence, standards-compliant JWT libraries like JOSE refuse to validate access tokens issued using this library.