JOSE Implementation
The JOSE Framework is a set of specifications for securing digital content using JSON data structures.
The JOSE Framework includes features such as JWS, JWE, JWT, JWK, and JWA.
Apinizer supports the JOSE Framework specifications and makes it easy to use.
The JOSE Implementation Policy is used to sign and/or encrypt JSON data returned from the Backend API to the client.
The picture below shows the JOSE Implementation:
The fields used for JOSE Implementation configuration are shown in the table below.
Field | Description |
---|---|
Description | A description may be written to facilitate the utilization and management of the policy. |
Target to be Signed/Encrypted | It may be desirable to apply signing/encryption to the entire message body, or part of the header or body of the message. This field is used to specify where in the message the data will be used for signing or encryption. |
Target Variable | This variable is used to indicate where a specific part of the message is located, in case the target is a certain part of the message. |
Claim Name for Raw Data | Indicates which Claim name the target data to be signed or encrypted will be included in the JWT or JWE data. |
Escape JSON String | If the "Escape JSON String" field is active, the Json characters in the data to be placed into the Claim are placed by escaping JSON characters. Otherwise, the data to be placed is added as a JSON element. |
Add Issue Time | If you want to add a creation date to the JWT or JWE data, this field is activated. If this field is active, the creation time is added to JWT or JWE as the "iat" claim. |
Add Generated ID | It adds a randomly generated value to the "jti" field in the JWT. |
Add Issuer | If the information about who created the JWT, or JWE data is desired to be added to the payload, this field can be activated. This field is referred to as the "issuer" claim, and it specifies the entity that created and signed the payload. |
Issuer | If the "Add Issuer" field is activated, the value entered in the "Issuer" field is added as the "iss" claim to JWT, or JWE. |
Add Audience | If you want to add who the data is intended for within JWT, or JWE data, the "Add Audience" field can be activated. When this field is active, the value entered in the "Audience" field is added as the "aud" claim in JWT, or JWE. |
Audience List | If the "Add Audience" field is activated, the values entered in the "Audience List" field will be added as the "aud" claim in JWT or JWE to specify to whom the data is intended. |
Add Subject | If the subject of the data needs to be added to JWT, or JWE, this field is activated. |
Subject | If the "Add Subject" field is activated, the value entered in the "Subject" field is added to the JWT, or JWE as the "sub" claim. |
Add Expiration Time | If you wish to add an expiration date to the data in JWT, or JWE, this field is activated. When this field is active, the expiration time is added as the "exp" claim to the JWT, or JWE. |
Expiration Time Value | If you wish to add an expiration time for the data included in JWT, or JWE, you can activate the "Add Expiration Time" field. The value entered in the "Expiration Time Value" field will then be added to the token as the "exp" claim. |
Expiration Time Unit | If the "Add Expiration Time" field is active, it specifies the unit of the value entered in the "Expiration Time Value" field as the "exp" claim in JWT or JWE. |
Additional Claim List | This is a list of the claims and their values that will be included in the returned JWT, or JWE data. |
Sign | This value is marked if the target part of the returned data want to be signed. |
Sign by Client's JWK | If you wish to perform an operation based on the user identity for signing the returned data, this option is selected. Signing is done with the Signature JWK owned by the authorized user. If this option is selected, there must be a policy that verifies with the Apinizer Identity Pool in the Request Pipeline, as access to the client's identity is required. |
JWK for Signature | If signing of the returned data is desired to be done with a fixed JWK instead of the user identity, this option is selected and the signing is done with the JWK selected here. |
Encrypt | If the returned data is desired to be encrypted, this option is selected. For this option to work properly, the "Sign" option must be selected as well. |
Encryption Method | The encryption algorithm is selected. |
Encrypt By Client's JWK | If the encryption of the returned data is to be performed depending on the user identity, this option is selected. Encryption is performed with the encryption JWK owned by the authorized user. If this option is selected, there must be a policy that verifies with the Apinizer Identity Pool in the Request Pipeline, as access to the client's identity is required. |
JWK for Encryption | If encryption of the returned data is desired using a fixed JWK instead of a user-specific JWK, this option is selected and encryption is performed with the JWK selected here. |
Injection Target for Generated JWT/JWE | Indicates where the signed and/or encrypted value will be placed in the message after successful signing/encryption. |
Target Variable for Decoded Claims | Variable used to indicate where the signed and/or encrypted value will be placed in the message. |
You can visit the Policies page for the details of the Conditions and Error Message Customization panels.