JWT Token Generation for HMAC using SHA Algorithm

Introduction

JSON Web Tokens (JWT) can be integrity protected with a Hash-based Message Authentication Code (HMAC). The producer and consumer must posses a shared secret, negotiated through some out-of-band mechanism before the JWS-protected object is communicated (unless the producer secures the JWS object for itself).

We are using Nimbus JOSE+JWT and JJWT library which supports all standard JWS algorithms for HMAC protection (note the minimum secret length requirement):

• HS256 - HMAC with SHA-256, requires 256+ bit secret

• HS384 - HMAC with SHA-384, requires 384+ bit secret

• HS512 - HMAC with SHA-512, requires 512+ bit secret

The JWT includes a set of claims or assertions, packaged in a JSON object. The claims, which treatment is application specific, must therefore be subsequently checked by your application code.

JSON Web Key Format for HMAC using SHA Algorithm

• JWKS for HMAC HS384 (Sample)

{
"keys": [{
"kty": "oct",
"kid": "32502afd-077e-4c38-bb1c-9f7ee2069b0d",
"k": "AVQ-4XgHTI_KVV2h27nCBkTGb7NK3QEghlB1sYYoNlXsEzKTv8YAXWdBp6cH4yc",
"alg": "HS384"
}]
}

• HS256

{
"keys": [{
"kty": "oct",
"kid": "27a7cb2b-6f0f-4722-a735-a45eb95b28a7",
"k": "G37cfUp9nhwlxZDL2x0ecfKpzbhMT7zHYS786T-n0II",
"alg": "HS256"
}]
}

• HS512

{
"keys": [{
"kty": "oct",
"kid": "1a35af02-71fe-4240-b9ed-f90482e405bc",
"k": "_
A3GhQMmfixjef5G9bFNKu7XhY7i1Tf5gyuWHrFIVTBk4t9APCX8Foq1SJWgCspLy3MuLgrI7js0JS65M78dg",
"alg": "HS512"
}]
}

• Secret Keys (Sample)

HS384

javax.crypto.spec.SecretKeySpec@588163c

HS256

javax.crypto.spec.SecretKeySpec@5883077

HS512

javax.crypto.spec.SecretKeySpec@5880b31