Allowing JWE aswell as JWT tokens

Question

Allowing JWE aswell as JWT tokens

Opened this issue 6 years ago · 4 comments

In my quest to bring our custom version of this project inline with the official release, I have one more task to make them the same.

Our payload cookie is currently encoded using JWE tokens instead of basic JWT. Would it be possible to add a config in the Admin Setting page that allows the switch to JWE encryption?

Answer 1 · 2018-11-29T17:17:27.000Z

Would that require a new dependency? It doesn't look like jsonwebtoken supports JWE. If so, do you have a recommended module?

Answer 2 · 2018-11-29T17:24:36.000Z

Yes it would. We currently use https://github.com/cisco/node-jose

Answer 3 · 2019-07-05T20:01:47.000Z

@uplift If I am reading this correctly, we would be removing our dependency on node-jsonwebtoken and instead use node-jose, is that right?

Seems like a fairly major operation, and wouldn't be backwards compatible with pre-existing installs, unless node-jose can produce a JWS (which is what node-jsonwebtoken currently outputs)

Answer 4 · 2023-04-10T19:10:39.000Z

Hi @julianlam. I am curious if it's possible to add this feature as well.

This library https://github.com/panva/jose seems potentially more widely used than the one mentioned above and can produce a JWS for backwards compatibility.

It would also allow for different signing algorithms as requested in issue #31.

I'm not an expert on JWT's or nodebb but I'd be willing to help if you're interested.