The JOSE Framework is a set of specifications for securing digital content using JSON data structures.

The JOSE Framework includes features such as JWS, JWE, JWT, JWK, and JWA.

Apinizer supports the JOSE Framework specifications and makes it easy to use.

The JOSE Implementation Policy is used to sign and/or encrypt JSON data returned from the Backend API to the client.

The picture below shows the JOSE Implementation:

The fields used for JOSE Implementation configuration are shown in the table below.

Field

Description

Description

A description may be written to facilitate the utilization and management of the policy.

Target to be Signed/Encrypted

It may be desirable to apply signing/encryption to the entire message body, or part of the header or body of the message.

This field is used to specify where in the message the data will be used for signing or encryption.

Target Variable

This variable is used to indicate where a specific part of the message is located, in case the target is a certain part of the message.

Claim Name for Raw Data

Indicates which Claim name the target data to be signed or encrypted will be included in the JWT or JWE data.

Escape JSON String

If the "Escape JSON String" field is active, the Json characters in the data to be placed into the Claim are placed by escaping JSON characters. Otherwise, the data to be placed is added as a JSON element.

Add Issue Time

If you want to add a creation date to the JWT or JWE data, this field is activated. If this field is active, the creation time is added to JWT or JWE as the "iat" claim.

Add Generated ID

It adds a randomly generated value to the "jti" field in the JWT.

Add Issuer

If the information about who created the JWT, or JWE data is desired to be added to the payload, this field can be activated. This field is referred to as the "issuer" claim, and it specifies the entity that created and signed the payload.

Issuer

If the "Add Issuer" field is activated, the value entered in the "Issuer" field is added as the "iss" claim to JWT, or JWE.

Add Audience

If you want to add who the data is intended for within JWT, or JWE data, the "Add Audience" field can be activated. When this field is active, the value entered in the "Audience" field is added as the "aud" claim in JWT, or JWE.

Audience List

If the "Add Audience" field is activated, the values entered in the "Audience List" field will be added as the "aud" claim in JWT or JWE to specify to whom the data is intended.

Add Subject

If the subject of the data needs to be added to JWT, or JWE, this field is activated.

Subject

If the "Add Subject" field is activated, the value entered in the "Subject" field is added to the JWT, or JWE as the "sub" claim.

Add Expiration Time

If you wish to add an expiration date to the data in JWT, or JWE, this field is activated. When this field is active, the expiration time is added as the "exp" claim to the JWT, or JWE.

Expiration Time Value

If you wish to add an expiration time for the data included in JWT, or JWE, you can activate the "Add Expiration Time" field. The value entered in the "Expiration Time Value" field will then be added to the token as the "exp" claim.

Expiration Time Unit

If the "Add Expiration Time" field is active, it specifies the unit of the value entered in the "Expiration Time Value" field as the "exp" claim in JWT or JWE.

Additional Claim List

This is a list of the claims and their values that will be included in the returned JWT, or JWE data.

SignThis value is marked if the target part of the returned data want to be signed.
Sign by Client's JWK

If you wish to perform an operation based on the user identity for signing the returned data, this option is selected. Signing is done with the Signature JWK owned by the authorized user.

If this option is selected, there must be a policy that verifies with the Apinizer Identity Pool in the Request Pipeline, as access to the client's identity is required.

JWK for Signature

If signing of the returned data is desired to be done with a fixed JWK instead of the user identity, this option is selected and the signing is done with the JWK selected here.

Encrypt

If the returned data is desired to be encrypted, this option is selected. For this option to work properly, the "Sign" option must be selected as well.

Encryption Method

The encryption algorithm is selected.

Encrypt By Client's JWK

If the encryption of the returned data is to be performed depending on the user identity, this option is selected. Encryption is performed with the encryption JWK owned by the authorized user.

If this option is selected, there must be a policy that verifies with the Apinizer Identity Pool in the Request Pipeline, as access to the client's identity is required.

JWK for Encryption

If encryption of the returned data is desired using a fixed JWK instead of a user-specific JWK, this option is selected and encryption is performed with the JWK selected here.

Injection Target for Generated JWT/JWE

Indicates where the signed and/or encrypted value will be placed in the message after successful signing/encryption.

Target Variable for Decoded Claims

Variable used to indicate where the signed and/or encrypted value will be placed in the message.

You can visit the Policies page for the details of the Conditions and Error Message Customization panels.