What is the difference between JWT and JWS?

Asked

Viewed 2,145 times

6

I asked a question a little while ago on the site regarding the JWT, which is used to create access tokens through JSON.

I tried to implement JWT between two applications that use different versions of a library that generates JWT tokens.

Namely version 0.4 and 0.5 of this library.

I was seeing that an error was being generated between these two applications, and the private key was the same and the Claims were also normally recognized. But I could tell by using the JWT.IO that a header result type were different.

When I placed a token (generated by version 0.4 of the library) this would appear in the session HEADER:

{
  "alg": "HS256",
  "typ": "JWS"
}

When I used the token generated by version 0.5 of the above library, this one appeared HEADER:

{
  "typ": "JWT",
  "alg": "HS256"
}

So I guess that’s why I haven’t been able to maintain JWT communication between the two applications, since each one is implementing a typ different.

I have some doubts:

  • What is the difference between JWS and JWT?
  • What would that be typ in a JWT Token Header?
json jwt
  • 4

    Whoever came up with these names is bad at marketing. Even with the previous discussion about JWT, I keep looking at these acronyms and immediately thinking about Java!

  • @bfavaretto kkkkk, that’s exactly it. The problem is that you still had two answers deleted in the other questions. Not that the other one is fine, but having more than one answer for me creates more security.

1 answer

2

JWT uses JWS for its signature, from the specification:

The JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. Requests in a JWT are encoded as a Javascript Object Notation (JSON) object that is used as a structure JSON Web Signature (JWS) or as the clear text of a JSON Web Encryption (JWE) structure, allowing claims to be digitally signed or Maced and / or encrypted.

So a JWT is a JWS structure with a JSON object as the payload. Some optional keys (or claims) have been defined as Iss, Aud, Exp etc.

It also means that your integrity protection is not only limited to shared secrets, but public/private key encryption can also be used.

"Typ" (type) Header parameter The type (header) parameter defined by [JWS] and [JWE] is used by JWT applications to declare the media type [IANA.Mediatypes] of this JWT

Browser other questions tagged json jwt

You are not signed in. Login or sign up in order to post.