Solved: What is the difference between a JWE and an encryp...

raketmakhim · 04-04-2022 11:51 AM

I have seen apigee can decrypt an encrypted JWT but cannot decrypt a JWE. I Thought they were the same thing. What is the difference?

dchiesa1

Last week I wrote up a detailed description: https://www.googlecloudcommunity.com/gc/Apigee/Payload-encryption-with-JWE/m-p/408153/highlight/true...

Basically, JWE is a way to wrap encryption around anything. While "encrypted JWT" is a way to wrap encryption around a specific thing: a JSON payload.

Apigee can handle, with out of the box policies, encrypted JWT, with a variety of algorithms.

Apigee out of the box policies do not handle the general case JWE. For that, there is a Java callout, which handles specifically RSA-based encryption algorithms. If you want general-case JWE and non-RSA algorithms, there's no support for that currently in Apigee, though it is in the roadmap.

View solution in original post

dchiesa1

Last week I wrote up a detailed description: https://www.googlecloudcommunity.com/gc/Apigee/Payload-encryption-with-JWE/m-p/408153/highlight/true...

Basically, JWE is a way to wrap encryption around anything. While "encrypted JWT" is a way to wrap encryption around a specific thing: a JSON payload.

Apigee can handle, with out of the box policies, encrypted JWT, with a variety of algorithms.

Apigee out of the box policies do not handle the general case JWE. For that, there is a Java callout, which handles specifically RSA-based encryption algorithms. If you want general-case JWE and non-RSA algorithms, there's no support for that currently in Apigee, though it is in the roadmap.

What is the difference between a JWE and an encrypted JWT?