1

I am used to using JWTs so when I needed the same behavior but with no plaintext user data I looked at JWE. JWE is very similar to JWT; however, I did not see the exp, nbf or iat fields which limit the time the message is valid for (preventing replays after the exp time).

My question is: in practice how do you protect JWE from being used for replay attacks?

  • Is the JWE header signed? Can I just put those time-restrictive fields in it?
  • Seems a little sketchy, but could I potentially use the iv as the nbf and have an implicit exp time of say 1 minute after that? or maybe squeeze the nbf and exp both as the IV?
  • If I have to nest the JWE in a JWT to prevent replay, is there a standard way of doing this?
Improve this question

1 Answer 1

Reset to default
1

You can nest a JWT inside a JWE (not the other way around, as you mention in your last point), where the JWT can have the fields you want.

See a short explanation here.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.