I've been coding a RESTful service in Java. This is what I've understood till now:
Token authorization is done using JSON Web Tokens (JWT) which have three parts: the header, the payload, and the secret (shared between the client and the server).
I understood this concept and stumbled over JSON Web Signature (JWS) while reading about JWT.
JWS also is an encoded entity similar to JWT having a header, payload, and a shared secret.
What is the difference between the two concepts, namely JWT and JWS? And if they are alike technically, then what's the difference in their implementation?
This is the first time I'm working with token-based authentication, so it's possible I've misunderstood the concept altogether.
P.S.: I learned about JWS while browsing through the examples on this website.
JWT actually uses JWS for its signature. From the specification's abstract:
So a JWT is a JWS structure with a JSON object as the payload. Some optional keys (or claims) have been defined such as
iss
,aud
,exp
, etc.This also means that its integrity protection is not just limited to shared secrets, but public/private key cryptography can also be used.