JOSE is a framework intended to provide a method to securely transfer claims (such as authorization information) between parties. The JOSE framework provides a collection of specifications to serve this purpose. A JSON Web Token (JWT) contains claims that can be used to allow a system to apply access control to resources it owns.
JWTs can be represented as either JSON Web Signature (JWS) or a JSON Web Encryption (JWE) objects. Claims within a JWS can be read as they are simply base64-encoded (but carry with them a signature for authentication). Claims in a JWE on the other hand, are encrypted and as such, are entirely opaque to clients using them as their means of authentication and authorization.
This library implements JWS and JWEs along with a subset of the encryption / authentication algorithms recommended by the JOSE framework.
http://jose.readthedocs.org/en/latest
https://travis-ci.org/Demonware/jose
Important: This is a backwards incompatible change, in that tokens produced in this version will not be decipherable by tokens < 1.0.0. The jwe hash string used was changed to use an empty string rather than "." to fall in line with https://tools.ietf.org/html/rfc7518#section-5.2.2.1
Important: Only unencrypted tokens are vulnerable. This fix lead to backward
incompatible change to verify function signature.
Important: This change introduces a temporarily injected key (__v) in order to distinguish between legacy and newly issued tokens. This allows for the use of either token as to not break backwards compatibility and (possibly) degrade user experience. This will be removed for v1.0.
In order to verify whether or not clients are using a legacy token, the application code can verify whether or not the key "__v" is contained in the headers (this can be done after deserialize_compact). The existence of the key identifies a newly created token.
Demian Brecht (demianbrecht) Nick Murtagh (nmurtagh) Jakub Warmuz (kuba) Jaime Pérez (jaimeperez) Yurii Konovaliuk (yuriikonovaliuk)
FAQs
An implementation of the JOSE draft
We found that jose demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Bybit's $1.46B hack by North Korea's Lazarus Group pushes 2025 crypto losses to $1.6B in just two months, already surpassing all of 2024's $1.49B total.
Security News
OpenSSF has published OSPS Baseline, an initiative designed to establish a minimum set of security-related best practices for open source software projects.
Security News
Michigan TypeScript founder Dimitri Mitropoulos implements WebAssembly runtime in TypeScript types, enabling Doom to run after processing 177 terabytes of type definitions.
