Login/Register
What is the mime type to use for JSON Web Encryption
Asked Answered
Solved jsonmime-typesrfcjwe
M

1

6

Looking at RFC 7515 and RFC 7516, I was trying to understand what the proper mime type for the JWE should be. It looks like JWE and JWS share the JOSE header information, and JWS defines its mime type as application/jose. JWE has no explicit media type information. But since the name is "jose" and both use JOSE header, I assume both should use the same mime type (also because JOSE stands for ... Signing and Encryption).

In this case, how do I differentiate between signed and/or encrypted messages? By value of the alg property? Or by presence/value of enc property?

To summarize:

  1. Is "application/jose" a mime type to use for JWE? If not, then what should it be?
  2. If yes, how to reliably tell between JWE and JWS messages?
Monosyllable answered 29/3, 2017 at 18:1 Comment(5)
RFC7519#section-10.3.1 indicates the mime type is application/jwt.Xymenes
@FlorentMorselli That's for JWT, my concern was between JWE and JWS only.Monosyllable
There is no mime type to distinguish JWS and JWE. It is up to the service that receive the token to handle the token type (see tools.ietf.org/html/rfc7516#section9 you mentioned)Xymenes
In any case, nothing prevents you from using your own mime typeXymenes
What's the difference between application/jwt and application/jose?Aquiline
M
3

If I only paid more attention to the original RFC, I would have noticed that there is a section for this particular purpose (section 9).

In short, the code should examine presence of payload, ciphertext or enc properties, or by checking the value of alg. Alternatively, count period separators if compact serialization is used.

This also implies that the mime type for both is the same.

Monosyllable answered 29/3, 2017 at 23:13 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.