JWS and JWE

Corppass leverages JWS (JSON Web Signature) and JWE (JSON Web Encryption) to securely exchange and verify sensitive authorization data between clients and the authorization server.

These mechanisms align with RFC 7515 (JWS) and RFC 7516 (JWE), and are used to ensure integrity, authenticity, and confidentiality of data in the Corppass authorization flow.

JSON Web Signature (JWS)

JWS ensures the integrity and authenticity of data by digitally signing it. It is used to protect critical tokens like client assertions and ID tokens from tampering.

A JWS consists of three components, each Base64URL-encoded and concatenated with periods (.):

  1. Header – Contains metadata such as the signing algorithm (alg) and key identifier (kid).

  2. Payload – The data or claims being signed (e.g., client ID, token expiry).

  3. Signature – A cryptographic signature generated using the sender’s private key.

<base64url-encoded header>.<base64url-encoded payload>.<base64url-encoded signature>

Usage in Corppass

JWS is used to sign JWTs in the following scenarios:

  • Client Assertion JWTs: Relying Parties (RPs) send signed JWT client_assertion to authenticate themselves.

  • ID Tokens: Corppass signs the ID Tokens to assert that the payload is authentic and not tampered with.

Corppass verifies these signatures using the public keys provided via the client’s JWKS.

JWS Header Example

{ 
  "alg": "ES256", 
  "kid": "d591e152-886e-46cc-aa70-36a4431162a6", 
  "typ": "JWT" 
}
Field
Description

alg

The algorithm used to sign the JWT.

kid

Type of object (JWT).

typ

Key ID, used to locate the corresponding public key in the client’s JWKS.

JSON Web Encryption (JWE)

JWE ensures the confidentiality of data by encrypting it, ensuring that only the intended recipient (the RP) can decrypt and read the content.

A JWE consists of five components, each Base64URL-encoded and concatenated with periods (.):

  1. Protected Header: Contains metadata about the encryption algorithm (alg) and encryption key.

  2. Encrypted Key: The key used to encrypt the payload.

  3. Initialisation Vector (IV): Ensures randomness in encryption.

  4. Cipher Text: The encrypted payload.

  5. Authentication Tag: Ensures integrity of the encrypted data.

<Protected Header>.<Encrypted Key>.<IV>.<Ciphertext>.<Authentication Tag>

Usage in Corppass

JWE is used to encrypt a JWS (signed JWT) in the following scenarios:

  • ID Token: Corppass signs the ID token as a JWS and then encrypts it using the RP’s public key, producing a JWE.

  • Entity Info Payload: The response payload from the /entity-info endpoint is a signed JWT (JWS) that is further encrypted as a JWE.

JWE Header Example

{ 
  "alg": "ECDH-ES+A256KW", 
  "kid": "nxiJJNNVxxnTkU2wL65TI2PkILIJOURSTQSABLuH2kE", 
  "enc": "A256CBC-HS512", 
  "typ": "JWT" 
}
Field
Description

alg

The key management algorithm used to encrypt the key that encrypts the payload.

kid

Key ID used to identify which public key in the RP's JWKS should be used to perform encryption.

enc

Content encryption algorithm. Corppass may use A256GCM (AES-GCM with 256-bit key).

typ

Type of token, usually JWT. Helps distinguish JWTs from other data types.

JWE supports both symmetric and asymmetric encryption algorithms. Corppass only supports asymmetric key pairs that use Elliptic Curve (EC)-based key agreement algorithms to determine a common encryption key, specifically:

  • ECDH-ES+A128KW

  • ECDH-ES+A256KW

  • ECDH-ES+A512KW

These algorithms use Elliptic Curve Diffie-Hellman (ECDH) for key agreement and AES Key Wrapping (AxxxKW) for content encryption.

Last updated