Nimbus JOSE + JWT updated to draft suite 10
The Nimbus library for processing JWS/JWE/JWK/JWT objects in Java was updated to comply with the latest draft suite v10 released by the JOSE WG:
- JWA draft-ietf-jose-json-web-algorithms-10
- JWS draft-ietf-jose-json-web-signature-10
- JWE draft-ietf-jose-json-web-encryption-10
- JWK draft-ietf-jose-json-web-key-10
- JWT draft-ietf-oauth-json-web-token-07
An important change is the new method for authenticated AES/CBC encryption based on draft-mcgrew-aead-aes-cbc-hmac-sha2-01 – Authenticated Encryption with AES-CBC and HMAC-SHA. This replaced the previously used method based on a concatenating KDF.
Other changes include the introduction of an “crit” header parameter to designate custom JWS/JWE headers that shouldn’t be ignored by clients, also several changes in terminology and a change in AAD computation for AES/GCM to allow multiple recipients. The complete change log can be found in the draft document histories and the respective CHANGELOG file in the library package.
The new library version should appear in Maven Central within a few hours.
Thanks to everyone who contributed, also to our colleagues on the JOSE WG who continue work on refining the specs.