JSON Web Token becomes a standard

2015-06-16

JSON Web Token (JWT) is now an official IETF standard and is given the RFC 7519 designation.

The spec suite that defines the cryptography mechanisms for securing the JWTs (and may be used to secure other types of digital objects) has also received standard RFC numbers:

• JSON Web Signature - RFC 7515
• JSON Web Encryption - RFC 7516
• JSON Web Key - RFC 7517
• JSON Web Algorithm - RFC 7518

Mike Jones who diligently chaired the work group recently blogged about how JWT came about and the four year journey to an IETF standard. We want to thank everybody who participated in this effort. JWTs are used extensively in the Connect2id server for encoding identity tokens (in OpenID Connect) and access tokens (OAuth 2.0).

The open source library for dealing with JWTs is approaching a new fourth major release brings a number of significant improvements and new features:

• A robust framework for processing JWTs and other JOSE-secured objects which helps developers avoid some of the common pitfalls leading to vulnerabilities.
• All internal cryptography operations now use the standard JCA interfaces. The hard dependency on BouncyCastle has been removed.
• The JWS signers / verifiers and JWE encrypters / decrypters can be set with specific JCA providers for all or selected operations.
• Support for password-based JWE algorithms PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW.
• Support for Elliptic Curve Diffie-Hellman JWE algorithms ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW.

The 4.0 release of the Nimbus JOSE+JWT library will be announced here and on our Twitter channel.