JWT support

JWT support

ISAM supports JWT by using STS to expose a JWT module.
This module can be run in the following two modes:

Validate

Consume a JWT.

Issue

Create a JWT.

Both modes support signing, encryption, and some basic validation or population of claims.
ISAM supports consuming a nested JWT using the header claim “cty”:”JWT”. However, this support applies only when the JWT is both signed and encrypted, per RFC 7519 section 11.2.
The JWT module supports the following JSON Web Algorithms.

Algorithm Uses symmetric key Uses certificates Required key size Suggested key size

HS256 Yes No 256 bits

RS256 No Yes At least 2048 bits

ES256 No Yes 256 bits

HS384 Yes No 384 bits

RS384 No Yes At least 2048 bits

ES384 No Yes 384 bits

HS512 Yes No 512 bits

RS512 No Yes At least 2048 bits

ES512 No Yes 512 bits

A required key size indicates that an error occurs if this value is not supplied. A suggested key size indicates the minimum value to achieve a reasonable level of security.

Algorithm Uses symmetric key Uses certificates Required key size

RSA1_5 No Yes At least 2048 bits

RSA-OAEP No Yes At least 2048 bits

RSA-OAEP-256 No Yes At least 2048 bits

A128KW Yes No 128 bits

A192KW Yes No 192 bits

A256KW Yes No 256 bits

A128GCMKW Yes No 128 bits

A192GCMKW Yes No 192 bits

A256GCMKW Yes No 256 bits

dir Yes No The key size that is required by the encryption algorithm (one of 128, 192, or 256 bits)

ECDH-ES No Yes

ECDH-ES+A128KW No Yes

ECDH-ES+A192KW No Yes

ECDH-ES+A256KW No Yes

A required key size indicates that an error occurs if this value is not supplied.

Algorithm Uses symmetric key Required key size

A128GCM Yes 128 bits

A192GCM Yes 192 bits

A256GCM Yes 256 bits

A128-CBC-HS256 Yes 256 bits

A192-CBC-HS384 Yes 384 bits

A256CBC-HS512 Yes 512 bits

A required key size indicates that an error occurs if this value is not supplied.
The Content Encryption Key (CEK) is generated in most cases. When the encryption key algorithm is "dir", we must know the required key size of the CEK. Because the mode "dir" uses the provided key as the CEK.

The size of each character in the "symmetricKey" field is 8 bits. For a 128-bit key, you need to provide a 16 character key.
The previously listed algorithms are from the JWA RFC(7518) https://tools.ietf.org/html/rfc7518.

Parent topic: JSON Web Token (JWT)

Algorithm	Uses symmetric key	Uses certificates	Required key size	Suggested key size
HS256	Yes	No		256 bits
RS256	No	Yes	At least 2048 bits
ES256	No	Yes	256 bits
HS384	Yes	No		384 bits
RS384	No	Yes	At least 2048 bits
ES384	No	Yes	384 bits
HS512	Yes	No		512 bits
RS512	No	Yes	At least 2048 bits
ES512	No	Yes	512 bits

Algorithm	Uses symmetric key	Uses certificates	Required key size
RSA1_5	No	Yes	At least 2048 bits
RSA-OAEP	No	Yes	At least 2048 bits
RSA-OAEP-256	No	Yes	At least 2048 bits
A128KW	Yes	No	128 bits
A192KW	Yes	No	192 bits
A256KW	Yes	No	256 bits
A128GCMKW	Yes	No	128 bits
A192GCMKW	Yes	No	192 bits
A256GCMKW	Yes	No	256 bits
dir	Yes	No	The key size that is required by the encryption algorithm (one of 128, 192, or 256 bits)
ECDH-ES	No	Yes
ECDH-ES+A128KW	No	Yes
ECDH-ES+A192KW	No	Yes
ECDH-ES+A256KW	No	Yes

Algorithm	Uses symmetric key	Required key size
A128GCM	Yes	128 bits
A192GCM	Yes	192 bits
A256GCM	Yes	256 bits
A128-CBC-HS256	Yes	256 bits
A192-CBC-HS384	Yes	384 bits
A256CBC-HS512	Yes	512 bits