Back to itsme
Need help?(Opens in new tab)
Get Started with itsme
-Skip to main content

How can we help you out?

  1. itsme
  2. Partner Support
  3. FAQ
  4. Integration

How JSON Object Signing and Encryption (JOSE) works in Production

Application between a Partner and itsme®

A Partner wants to sign and encrypt a message (JSON Object) and send it to itsme®.

After processing, itsme® will send a response which is also signed and encrypted.

 Note that for JSON Object Signing and Encryption we use 2 keypairs, so each party creates 4 keys:

  • 1 private/public keypair for signing and signature validation (Key ID (kid) starts with “s”)
  • 1 private/public keypair for encryption/decryption (Key ID (kid) starts with “e”)

 

Production environment

For production use, Partner will need to create 2 keypairs:

  • 1 public and private key for encryption/decryption
  • 1 public and private key for signing/signature verification

 

You will need to send the 2 PUBLIC keys to itsme® which will be used to:

  • Encrypt messages by itsme® towards you (with your public e1)
  • Verify your signature when you send a message to itsme® (with your public s1)

These 2 keys will be contained on the JWKset endpoint provided by the Partner to itsme®.

Note: NEVER SEND US OR ANYONE ELSE YOUR PRIVATE KEYS! They should be stored in a safe and secure environment. Typically, this is a HSM (Hardware Security Module), KeyVault, KeyStore, or other secure Key Management System that is used by your application.

 

The PUBLIC keys of itsme® for PRODUCTION can be found on:

 

Complete flow on PRODUCTION environment

Step 1: sign the content with YOUR PRIVATE s1 (which ONLY YOU possess)

Step 2: encrypt the signed content with the PUBLIC e1 of itsme® from https://idp.prd.itsme.services/v2/jwkSet

Step 3: itsme® will decrypt the message with its own private encryption key

Step 4: itsme® will verify the signature with YOUR PUBLIC s1 (which we have to receive from you after you created your production keys)

Step 5: itsme® will sign a response message with its own private signing key

Step 6: itsme® will encrypt the response message with your PUBLIC e1 (which we have to receive from you after you created your production keys)

Step 7: you decrypt the response with your PRIVATE e1 (which ONLY YOU possess) 

Step 8: you verify the signature with the PUBLIC s1 from itsme® from https://idp.prd.itsme.services/v2/jwkSet