JWT Token Generation for HMAC using SHA Algorithm
Introduction
JSON Web Tokens (JWT) can be integrity protected with a hash-based message authentication code (HMAC). The producer and consumer must posses a shared secret, negotiated through some out-of-band mechanism before the JWS-protected object is communicated (unless the producer secures the JWS object for itself).
We are using Nimbus JOSE+JWT and JJWT library which supports all standard JWS algorithms for HMAC protection (note the minimum secret length requirement):
The JWT includes a set of claims or assertions, packaged in a JSON object. The claims, which treatment is application specific, must therefore be subsequently checked by your application code.
JSON Web Key Format for HMAC using SHA Algorithm
HS256
{ "keys": [{ "kty": "oct", "kid": "27a7cb2b-6f0f-4722-a735-a45eb95b28a7", "k": "G37cfUp9nhwlxZDL2x0ecfKpzbhMT7zHYS786T-n0II", "alg": "HS256" }] }
HS512
{ "keys": [{ "kty": "oct", "kid": "1a35af02-71fe-4240-b9ed-f90482e405bc", "k": "_A3GhQMmfixjef5G9bFNKu7XhY7i1Tf5gyuWHrFIVTBk4t9APCX8Foq1SJWgCspLy3MuLgrI7js-0JS65M78dg", "alg": "HS512" }] }
HS384
javax.crypto.spec.SecretKeySpec@588163cHS256
javax.crypto.spec.SecretKeySpec@5883077HS512
javax.crypto.spec.SecretKeySpec@5880b31