As per the RFC7519,the payload of a JWS may be detached. This framework supports this feature.
There is not much difference between the creation of a JWS with or without detached payload. The following example comes from the JWS Creation page. There is only one argument that will change during the call of withPayload
.
And voilà! When you will serialize this token, the payload will not be present.
The loading of a signed token with a detached payload is as easy as when the payload is attached. The only difference is that you have to pass the payload to the JWS Verifier when you want to check the signature.
When you need to sign the same payload for several audiences, you may want to do it at once. The JWS Builder supports multiple signatures.
With the example below, we will create three signatures using three different algorithms (and signature keys):
The variable $jws
will be a valid JWS object with all computed signatures. Next step is the serialization of these signatures.
You may want to set data in a token header that are not important for your application (e.g. general information). The integrity protection of the data is therefore not needed at all.
The RFC7515 introduces an unprotected header. This header is supported by this framework.
With the example below, we will create a signed token with some unprotected header parameters:
The variable $jws
will be a valid JWS object with one signature and both headers.
Note: when an unprotected header is set, the Compact Serialization mode is not available.
The RFC7797 allows the use of an unencoded payload for the signed tokens. This behaviour is interesting when your tokens have a detached payload and may reduce the token computation.
Please note that when the Compact Serialization mode is used, the characters of the payload must be limited to the following ASCII ranges:
From 0x20
to 0x2d
From 0x2f
to 0x7e
This feature is built in the framework and is enabled when the b64
header parameter is set to false
. As per the RFC, this header MUST be protected and also listed as a critical (crit
) header parameter.
Example:
As a remainder, both b64
and crit
parameters MUST be in the protected header.