Blog »

First release candidate of Nimbus JOSE + JWT 4.0

2015-06-30

The fourth release of the Nimbus JOSE + JWT library introduces a comprehensive framework for developers to process web tokens securely and safely, something that few other libraries have tackled.

The framework is based on the key identification and key selection recommendations of the JOSE standard (as per RFC 7115). They basically work like this:

  1. Identify key candidates for verifying / decrypting the token, based on application-specific parameters included in the JOSE header and other contextual information, such as its sender or the channel.

  2. Only then have the token verified / decrypted, by having a JWS verifier / JWT decrypter for the appropriate algorithm created. If there is a mismatch between the cryptographic algorithm of the selected key and the algorithm of the token, the token is rejected.

  3. Finally, verify the token claims, again according to the rules of the application, e.g. by checking whether the issuer (iss claim) is accepted.

This framework should save developers from common pitfalls that compromise security, such as accepting alg:none tokens without sufficient checks of their context (e.g. whether they are received over a TLS/SSL channel) or using solely the alg header parameter to kick start verification / decryption.

For more information see the com.nimbusds.jwt.proc JavaDocs.

Other highlights of the 4.0 release?

  • All internal cryptography operations now use the standard JCA interfaces. The hard dependency on BouncyCastle has been removed.
  • The JWS signers / verifiers and JWE encrypters / decrypters can be set with specific JCA providers for all or selected operations.
  • Support for password-based JWE algorithms PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW.
  • Support for Elliptic Curve Diffie-Hellman JWE algorithms ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW.
  • Numerous other improvements.

Want to try out the 4.0 release before it becomes final?

The Maven Dependency for the 4.0 release candidate one:

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>nimbus-jose-jwt</artifactId>
    <version>4.0-rc1</version>
</dependency>

For other methods check out the downloads page.

Feedback

We'll be delighted to hear what you think, particularly of the new JWT processing framework.