I have chanced upon this wonderful library for java nimbus-JOSE for the use of JSON Web Encryption. This library is simple and requires few lines for JWE encryption and decryption like below shows JWE Encryption.
EncryptedJWT jwt = new EncryptedJWT(header, builder.build());
RSAEncrypter encrypter = new RSAEncrypter((RSAPublicKey) keyProvider.getDefaultPublicKey());
try {
jwt.encrypt(encrypter);
} catch (JOSEException e) {
throw new RuntimeException("Failed to generate encrypted token", e);
return jwt.serialize();
However, I had some questions regarding this library even after reading its javadocs and documentation. With respect to JWE and this library specifically,
- After decrypting the JWE, how does one validate the authenticity of the JWE? There are no "signatures" in a JWE, so how does the 5 parts of the JWE help to check for validity? Is there any support for this in the library?
- Other than the header and the claims, are the other fields in the JWT randomly generated by the library? (I was not able to find clear evidence of this.)
- If I use alg: "RSA-OAEP", enc: "A128GCM", I should be getting a different JWE everytime i encrypt, however, I have been getting the same JWE. Shouldn't RSA-OEAP-256 prevent this from happening? What is the detailed sequence of encryption and decryption flow?
- I have been trying to find a similar library in Javascript but was unable to find one like nimbus-jose which was for java. If anyone has a recommendation please do help below! I would like to thank anyone who can help with my queries. All inputs are welcomed. :)