8

Looking at RFC 7515 and RFC 7516, I was trying to understand what the proper mime type for the JWE should be. It looks like JWE and JWS share the JOSE header information, and JWS defines its mime type as application/jose. JWE has no explicit media type information. But since the name is "jose" and both use JOSE header, I assume both should use the same mime type (also because JOSE stands for ... Signing and Encryption).

In this case, how do I differentiate between signed and/or encrypted messages? By value of the alg property? Or by presence/value of enc property?

To summarize:

  1. Is "application/jose" a mime type to use for JWE? If not, then what should it be?
  2. If yes, how to reliably tell between JWE and JWS messages?
Improve this question
5
  • 2
    RFC7519#section-10.3.1 indicates the mime type is application/jwt. Commented Dec 21, 2017 at 7:46
  • @FlorentMorselli That's for JWT, my concern was between JWE and JWS only. Commented Dec 21, 2017 at 15:09
  • 1
    There is no mime type to distinguish JWS and JWE. It is up to the service that receive the token to handle the token type (see tools.ietf.org/html/rfc7516#section9 you mentioned) Commented Dec 21, 2017 at 16:33
  • In any case, nothing prevents you from using your own mime type Commented Dec 21, 2017 at 17:06
  • What's the difference between application/jwt and application/jose? Commented Oct 21, 2022 at 5:51

1 Answer 1

Reset to default
5

If I only paid more attention to the original RFC, I would have noticed that there is a section for this particular purpose (section 9).

In short, the code should examine presence of payload, ciphertext or enc properties, or by checking the value of alg. Alternatively, count period separators if compact serialization is used.

This also implies that the mime type for both is the same.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.