0

I am developing an integration client for a web-service which is based on content-type = application/jose.

It means I have to send the message body in terms of JWS / JWT. Now, I have reviewed about JWS and JWT and found that it comprises of Header that will contain the algorithm details, a Payload that will contain the payload to be transferred but I haven't seen any example on the internet where actual payload is encoded in JWT? I only see fields like sub, iat, date time etc..

I want to know, that if my request body in terms of decoded JSON is:

{
"instruction_id": "1",
"account_code": "1234",
...
...

}

Then in this case, what will the payload be? I haven't found any big difference between JWS and JWT they both comprises of header, payload and signature (applied using private or public key on header.payload).

Can someone elaborate their actual difference? and respond to my payload query above?

Jawad-Dev
  • 274
  • 10
  • 31
  • But the exposing party has provided us the document in which It has been written that we have to pass JWS with each API request. In the samples of requests and responses it has shown us decoded JSON but expect to encode it as JWT/JWS cryptogram while sending. Please suggest – Jawad-Dev Jun 22 '20 at 10:29
  • Sorry, I completely overlooked your `application/jose` requirement. – jAC Jun 22 '20 at 10:31
  • Can you please help me? :) – Jawad-Dev Jun 22 '20 at 10:32
  • payload: you can basically put into the payload whatever you want, as long as it is in JSON format. Regarding JWT vs. JWS: https://stackoverflow.com/questions/27640930/what-is-the-difference-between-json-web-signature-jws-and-json-web-token-jwt – jps Jun 22 '20 at 10:35
  • Then what are these components in payload? ias, sub, iss, exp. It is mandatory to put them too? – Jawad-Dev Jun 22 '20 at 10:37

1 Answers1

0

JWT stands for "Json Web Token" and it represent some form of authentication to grant an application to consume some resource on behalf of an end user.

Because of that you see those claims "sub": (subject) the final user, "exp": (expiration) the expiration time, "aud": the resource server intended to recieve this token, "iss": (issuer): the auth server that creates the token, iat: (issued at): the time when the token was created .. etc there all standard claims that represent something when talking about authorization/authentication. Anyway, you can add other custom claims you consider necessary

But the problem I think is that your use case is different probably it has more to do with JWE than JWT. Respect with JWS is the standard to represent the signature

JArgente
  • 2,239
  • 1
  • 9
  • 11
  • Thank you for the response. They have mentioned that **Each API call must include JWS in request that should be validated by receiving participant.**. Along with this they have also provided me with the JWT specification in which those claims are written. I am actually confused in both that whether I have to send my request body (JSON) in JWS cryptogram or JWT? or I have to used JWS To encode body and JWT to generate token? If I am asking anything wrong please correct me? – Jawad-Dev Jun 22 '20 at 10:52
  • It is possible that the JWS that must be present in the request could be a JWT token to allow the receiving participant to check the user that makes request is a valid user? or the content of the JWT (payload) must include the data of the request itself? – JArgente Jun 22 '20 at 11:07
  • Thats my question. Whether I have to use JWS for bundling my data or JWT as a payload? – Jawad-Dev Jun 22 '20 at 11:10
  • I have never seen to use jwt as a way to send data other that authorization one, the usual way to make Rest API calls is to make the http request with the data need to perform the operation in the body or query params and appart from that, use the Authorization header to incluide a JWT with information about the final user and authorization process (expiration time, subject, issuer, etc..) And the when the request get to its destination, the server will take that token and validates it, before perform the actual operation. But I don't know what are your requirements – JArgente Jun 22 '20 at 11:18
  • What if I want to add the JWS in JWT? is this possible? – Jawad-Dev Jun 22 '20 at 12:29