Plain JavaScript and JQuery

• Security first, a browser is never to be fully trusted, as you cannot know how secured the environment it runs in is. JavaScript injections, CORS (Cross domain origins) can be serious threats.
• Then performance and user experience, indeed JavaScript is a slow technology, especially when it comes to cryptographic operations. Moreover, using a third party may require to download big payloads, which can still be a problem with slow mobile networks.
• The reliability of third parties. A lot of third parties are publishing libraries for cryptography with JavaScript, the choice might be difficult. The Authentication Service Team identified node-jose (https://developer.cisco.com/codeexchange/github/repo/cisco/node-jose/) as a fair/secured and efficient choice.
• Finally compatibility. JavaScript comes with a native WebCrypto API (https://www.w3.org/TR/WebCryptoAPI/) that seems to be optimal. However, Microsoft Internet Explorer supports it only partially and only since IE 11.

The Authentication Service recommends to prefer server side technologies for every cryptographic operations.

However, in the case that your project requires to have those operations done within browsers, the Authentication Service Team recommends to use:

• node-jose that can be web-packed with Angular 2, see Create and Sign a JSON Web Token (JWT) with Angular 2.
• forge that can be used with plain JavaScript, see below.