Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support for JOSE (JSON Signature and Encryption) Standards

See original GitHub issue

I’m not currently a user of OpenAPI but a follower of standards initiatives like OpenBanking/FAPI where members claim that OpenAPI currently does not support JOSE (JSON Signature and Encryption) standards forcing them to use various workarounds.

I wonder if there is anybody out there with knowledge of the OpenAPI platform who could be interested in working with me to integrate the missing support?

There are also enhanced versions of JOSE JWS and JWE in the workings (through the IETF), providing Clear Text support which should be a nice fit for information centric systems, here illustrated by a minute JWS-CT sample:

{
     "@context": "https://example.com/paymentStandard/pay",
     "amount": "255.00",
     "currency": "USD",
     "signature": {
         "alg": "ES256",
         "jwk": {
             "kty": "EC",
             "crv": "P-256",
             "x": "PxlJQu9Q6dOvM4LKoZUh2XIe9-pdcLkvKfBfQk11Sb0",
             "y": "6IDquxrbdq5ABe4-HQ78_dhM6eEBUbvDtdqK31YfRP8"
         },
         "val": "RSLmFihg8QmXxM .... N0lGIdSEYvMMLTL8hEaYV9kW6A"
     }
}

Issue Analytics

State:
Created 6 years ago
Reactions:8
Comments:37 (11 by maintainers)

Top GitHub Comments

1reaction

cyberphonecommented, Apr 8, 2019

@pleothaud I could not open the document because I had no access right to it. Would it be possible giving it public read access?

1reaction

cyberphonecommented, Feb 13, 2018

Hi Philippe e.t al. Open Banking UK is a relevant application for this discussion. Here is a scaled down version of a payment operation:

POST /payments HTTP/1.1
x-jws-signature: TGlmZSdzIGEgam91cm5 ... leSBhg6fttg6gh88bfxmlf5bdDrA3
Content-Type: application/json

{
  "amount": "259.99",
  "currency": "GBP"
}

This scheme has (in my opinion NB) a number of shortcomings like:

Ties signatures to HTTP
Does not permit signed objects to be embedded in other objects
Does not easily facilitate serialization of signed data
Shrouds header data in Base64Url

A Cleartext JWS counterpart would address all the issues above:

POST /payments HTTP/1.1
Content-Type: application/json

{
  "amount": "259.99",
  "currency": "GBP",
  "signature": {
    "alg": "RS256",
    "kid": "#45233",
    "val": "Mtqlw2PPUoZSO4DAHNzZ9gk_ ... z8HsK3fE1jux6jFVrrhwSZiRaW6M"
  }
}

Remaining Problem Strictly speaking none of those schemes properly represent a signed REST request since requests like above are only fully characterized by the HTTP Body, URL, and HTTP Verb. There are essentially three different ways of dealing with this issue:

Current solution: ignore it. Well, Amazon do use something similar to the “right” way below
The “right” way: https://tools.ietf.org/html/draft-cavage-http-signatures-09
The “heretic” way: https://cyberphone.github.io/doc/web/yasmin.html

Top Results From Across the Web

Javascript Object Signing and Encryption (JOSE) — jose 0.1 ...

JOSE [1] is a framework intended to provide a method to securely transfer claims (such as authorization information) between parties. The JOSE framework ......

JOSE - JSON Object Signing and Encryption - Red Hat

JOSE. The standard provides a general approach to signing and encryption of any content, not necessarily in JSON.

JSON Object Signing and Encryption (JOSE)

Algorithm Name Algorithm Description Algorithm Usage Location(s) JOSE Implementation... HS256 HMAC using SHA‑256 alg Required HS384 HMAC using SHA‑384 alg Optional HS512 HMAC using SHA‑512 alg...

Proposed WG Javascript Object Signing and Encryption (jose)

Use Cases and Requirements for JSON Object Signing and Encryption (JOSE). 2014-04, Informational RFC ... RFC 7516 (was draft-ietf-jose-json-web-encryption)

JSON Object Signing and Encryption (JOSE)

JSON Object Signing and Encryption (JOSE) is the set of software technologies standardized by the IETF to represent encrypted and/or sign content as...