What is missing or needs to be updated?
The Token Disclosure section of the JWT cheat sheet mentions encryption of the JWT with AEAD.
The example encrypts the raw token using AES-GCM.
Several things are somewhat weird / not clear:
- it is not clear is we are talking about encryption during transmission on the token or at rest encryption;
- it is not talking about using en encrypted JWT (JWE).
Aead aead = AeadFactory.getPrimitive(keysetHandle);
byte[] cipheredToken = aead.encrypt(jwt.getBytes(), null);
return DatatypeConverter.printHexBinary(cipheredToken);
The implementation might be OK for at-rest encryption (but is not specific to JWTs).
The implementation is weird if we are talking about transferring the JWT. In this case, we expect to use a JWE.
How should this be resolved?
I would probably remove this section nearly entirely and mention using encrypted JWE (JWE) in this case.
What is missing or needs to be updated?
The Token Disclosure section of the JWT cheat sheet mentions encryption of the JWT with AEAD.
The example encrypts the raw token using AES-GCM.
Several things are somewhat weird / not clear:
The implementation might be OK for at-rest encryption (but is not specific to JWTs).
The implementation is weird if we are talking about transferring the JWT. In this case, we expect to use a JWE.
How should this be resolved?
I would probably remove this section nearly entirely and mention using encrypted JWE (JWE) in this case.