A simple library to work with JSON Web Token and JSON Web Signature based on the RFC 7519.
Package is available on Packagist, you can install it using Composer.
composer require lcobucci/jwt
The documentation is available at https://lcobucci-jwt.readthedocs.io/en/latest/.
If you want to add secure token based authentication to your PHP projects, feel free to check out Auth0's PHP SDK and free plan at auth0.com/developers.
Hi there,
The new MapKit JS by Apple uses JWT, however, Apple gives a .p8 certificate which only holds a private key. How can I use this to verify the signature?
Thanks!
QuestionHello!
Im using this liblary to generate ES256 JWT for Apple to connect with them, but the problem is that generated token is invalid.
So in summary :
What I did and it didn't work
My Code (PHP 8.1)
require 'vendor/autoload.php';
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Validation\NoConstraintsGiven;
use Lcobucci\JWT\Signer\Key\InMemory;
$privateKey = InMemory::file(__DIR__ . '/AuthKey_XXXXXXX.pem');
$publicKey = InMemory::file(__DIR__ . '/AuthKey_XXXXXXX.pub');
$config = Configuration::forAsymmetricSigner(Lcobucci\JWT\Signer\Ecdsa\Sha256::create(), $privateKey, $publicKey );
$now = new DateTimeImmutable();
$token = $config->builder()
->issuedBy('XXXXXXXXX')
->withHeader('alg', 'ES256')
->withHeader('kid', 'XXXXXXXXX')
->withHeader('typ', 'JWT')
->permittedFor('appstoreconnect-v1')
->withClaim('scope', array("GET /v1/apps?filter[platform]=IOS"))
->issuedAt($now)
->expiresAt($now->modify('+1 hour'))
->getToken($config->signer(), $config->signingKey());
$final_token = $token->toString();
// And final connecting with Apple because token is generated :
$url = 'https://api.appstoreconnect.apple.com/v1/apps/';
$ch = curl_init();
$header = array();
$header[] = 'Content-length: 0';
$header[] = 'Content-type: application/json';
$header[] = 'Authorization: Bearer '.$final_token;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, TRUE);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$head = curl_exec($ch);
print_r($head);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
What I need :
Thanks, Jake
QuestionHello,
We're currently using Laravel Passport and it's pulled in JWT 3.4. The standard "/oauth/token" route now longer works as the newly added deprecation messages are interrupting the flow, which were added in:
https://github.com/lcobucci/jwt/commit/5ce37ae2061942019e21ad5ef3af160cb5a4ad39
Don't have any more info yet but adding just in case anyone else is experiencing this?
Invalid@lcobucci I kept the responsibility for validating in the claim, since they are like value objects and know best how to validate themselves. I'm not sure where to put the error message. In the claim itself?
Also documentation still needs update in this PR.
Your comments please?
Improvement BC-breakAs per @henriquemoody and @Ocramius reviews on #129 we can make things more clear.
So let's discuss here to find the best names for with(), canOnlyBeUsedBy() and other method we would like to discuss about.
Currently all timestamps are rendered as strings. Some JWT parsers like auth0/node-jsonwebtoken and jwt.io complain about timestamps formatted as a string. This PR changes this to encode timestamps as float instead of string values.
Won't Fix BC-breakFor those people who may use cloud-based security infrastructure (e.g. Azure Keyvault HSM, Amazon AWS HSM), there is no way to integrate signing with lcobucci/jwt because, for example, your code presently requires people to supply the path to the private key on the local filesystem.
For avoidance of doubt, I am not saying that you need to code all the API communications ! I am just saying, give me an easy way to (a) get the "string to sign" and (b) supply the signed value back to lcobucci/jwt .... the "black-box" magic in the middle can be done by people's code.
Hope this makes sense.
Won't FixHi, one thing I like very much about PASETO is it's impossible to use it in insecure ways. I'm not talking about JWT RFC flaws, but rather about API that we can and should implement to force a safe usage.
Here are two examples of lcobucci/jwt:v4 misuse:
/**
* 1) Validation missing
*/
$jwtToken = (new JwtParser(new JoseEncoder()))->parse($_POST['jwt']);
loginUser($jwtToken->claims()->get(RegisteredClaims::AUDIENCE));
/**
* 2) Validation typo
*/
$jwtToken = (new JwtParser(new JoseEncoder()))->parse($_POST['jwt']);
// It should be assert()
(new Validator())->validate(
$jwtToken,
new SignedWith(new Eddsa(), InMemory::base64Encoded('foo'))
);
loginUser($jwtToken->claims()->get(RegisteredClaims::AUDIENCE));
For v5 I propose these main BC-breaks:
SignedWith validator in order to parse a JWT Tokenclaims part to be read nor consumed before the parse callheaders part to be read and consumed before the parse callparse callLooseValidAt or StrictValidAt validator in order to parse a JWT TokenTo use ECDSA signer it is required to install mdanter/ecc version ~0.3.1. But this extension requires php-mcrypt which was deprecated in PHP 7.1 and was deleted in PHP 7.2.
Latest mdanter/ecc (0.5.0) doesn't depend on mcrypt but however it is incompatible and throws an exception:
Type error: Argument 1 passed to Lcobucci\JWT\Signer\Ecdsa\KeyParser::__construct() must be an instance of Mdanter\Ecc\Math\MathAdapterInterface, instance of Mdanter\Ecc\Math\GmpMath given, called in /vendor/lcobucci/jwt/src/Signer/Ecdsa.php on line 50
Getting this error in latest version please help
Fatal error: Lcobucci\JWT\Signer\Key\InMemory cannot implement Lcobucci\JWT\Signer\Key - it is not an interface in /var/www/wmd/current/wmdcore-nightly/vendor/lcobucci/jwt/src/Signer/Key/InMemory.php on line 14
Laravel version: 8.x JWT: 4.1.5 php: 7.4.28
QuestionHi, JWT has never formalized Blake2b as a signing algorithm, hence the BLAKE2B algorithm ID I chose in the code was made up by me and I don't know if this should be merged of not, maybe we could use the @experimental tag on the class, I don't know.
But if this is nowhere near a standard (in JWT I mean, Blake2b is a standard), why proposing it? Because of this:
+--------------+-------------------+-----+------+-----+----------+-----------+---------+
| benchmark | subject | set | revs | its | mem_peak | mode | rstdev |
+--------------+-------------------+-----+------+-----+----------+-----------+---------+
| EddsaBench | benchSignature | | 100 | 5 | 4.359mb | 20.221μs | ±2.59% |
| EddsaBench | benchVerification | | 100 | 5 | 4.359mb | 45.970μs | ±0.62% |
| Sha256Bench | benchSignature | | 100 | 5 | 4.359mb | 60.589μs | ±6.34% |
| Sha256Bench | benchVerification | | 100 | 5 | 4.359mb | 95.866μs | ±4.34% |
| Sha384Bench | benchSignature | | 100 | 5 | 4.359mb | 61.166μs | ±1.13% |
| Sha384Bench | benchVerification | | 100 | 5 | 4.359mb | 104.584μs | ±0.76% |
| Sha512Bench | benchSignature | | 100 | 5 | 4.359mb | 60.701μs | ±5.33% |
| Sha512Bench | benchVerification | | 100 | 5 | 4.359mb | 114.601μs | ±1.13% |
| Sha256Bench | benchSignature | | 100 | 5 | 4.359mb | 837.150μs | ±3.02% |
| Sha256Bench | benchVerification | | 100 | 5 | 4.359mb | 36.188μs | ±3.82% |
| Sha384Bench | benchSignature | | 100 | 5 | 4.359mb | 803.909μs | ±3.31% |
| Sha384Bench | benchVerification | | 100 | 5 | 4.359mb | 38.787μs | ±3.91% |
| Sha512Bench | benchSignature | | 100 | 5 | 4.359mb | 791.626μs | ±1.59% |
| Sha512Bench | benchVerification | | 100 | 5 | 4.359mb | 36.873μs | ±3.04% |
| NoneBench | benchSignature | | 100 | 5 | 4.359mb | 0.123μs | ±38.90% |
| NoneBench | benchVerification | | 100 | 5 | 4.359mb | 0.170μs | ±2.33% |
| Sha256Bench | benchSignature | | 100 | 5 | 4.359mb | 2.218μs | ±8.02% |
| Sha256Bench | benchVerification | | 100 | 5 | 4.359mb | 2.410μs | ±0.20% |
| Sha384Bench | benchSignature | | 100 | 5 | 4.359mb | 2.262μs | ±13.38% |
| Sha384Bench | benchVerification | | 100 | 5 | 4.359mb | 2.451μs | ±0.33% |
| Sha512Bench | benchSignature | | 100 | 5 | 4.359mb | 2.285μs | ±6.95% |
| Sha512Bench | benchVerification | | 100 | 5 | 4.359mb | 2.491μs | ±10.81% |
| Blake2bBench | benchSignature | | 100 | 5 | 4.359mb | 0.562μs | ±2.72% |
| Blake2bBench | benchVerification | | 100 | 5 | 4.359mb | 0.760μs | ±0.83% |
+--------------+-------------------+-----+------+-----+----------+-----------+---------+
Currently the Token Builder is confusing:
https://github.com/lcobucci/jwt/blob/602856eb05a0c8e51f0e21925bdc34af372eb582/src/Token/Builder.php#L76-L91
The name of the method resemble an immutable object, but under the hood it's a fluent interface. All my colleagues get confused too by reading a method like:
class User
{
public function fillJwtToken(JwtBuilder $jwtBuilder): void
{
$jwtBuilder->withClaim('user-id', $this->id);
}
}
Did the developer forget to return the new object?
Or its more a setClaim rather than a withClaim?
Can we take a direction and forget the other one?
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are awaiting their schedule. Click on a checkbox to get an update now.
composer.json
php ~8.1.0 || ~8.2.0lcobucci/clock ^3.0.0infection/infection ^0.26lcobucci/coding-standard ^9.0phpbench/phpbench ^1.2.7phpstan/extension-installer ^1.2phpstan/phpstan ^1.9.8phpstan/phpstan-deprecation-rules ^1.1.1phpstan/phpstan-phpunit ^1.3.3phpstan/phpstan-strict-rules ^1.4.4phpunit/php-code-coverage 9.2.23phpunit/phpunit ^9.5.27
.github/workflows/composer-json-lint.yml
.github/workflows/backwards-compatibility.yml
actions/checkout v3.github/workflows/benchmarks.yml
actions/checkout v3shivammathur/setup-php 2.23.0actions/cache v3.2.2.github/workflows/coding-standards.yml
actions/checkout v3shivammathur/setup-php 2.23.0actions/cache v3.2.2.github/workflows/composer-json-lint.yml
actions/checkout v3shivammathur/setup-php 2.23.0actions/cache v3.2.2.github/workflows/mutation-tests.yml
actions/checkout v3shivammathur/setup-php 2.23.0actions/cache v3.2.2codecov/codecov-action v3.1.1.github/workflows/phpunit.yml
actions/checkout v3shivammathur/setup-php 2.23.0actions/cache v3.2.2actions/checkout v3shivammathur/setup-php 2.23.0actions/cache v3.2.2.github/workflows/release-on-milestone-closed.yml
actions/checkout v3laminas/automatic-releases 1.24.0laminas/automatic-releases 1.24.0laminas/automatic-releases 1.24.0laminas/automatic-releases 1.24.0laminas/automatic-releases 1.24.0.github/workflows/static-analysis.yml
actions/checkout v3shivammathur/setup-php 2.23.0actions/cache v3.2.2
When using a configuration object it makes sense to me to set up constraints when using helpers like forSymmetricSigner.
public static function forSymmetricSigner(
Signer $signer,
Key $key,
?Encoder $encoder = null,
?Decoder $decoder = null
): self {
$result new self(
$signer,
$key,
$key,
$encoder,
$decoder
);
$result->validationConstraints[] = new SignedWith($signer, $key);
return $result;
}
Of course this will then need to be kept in sync when someone calls setSigner later... So additional point: we should make Configuration immutable.
Hi, first off, love the lib. It's even better in 4.x than it was in 3.x.
One thing bothers me a bit though, since the interfaces moved around and claims() got moved to the UnencryptedToken interface it left a weird gap in the Parser interface, since it's not possible to get a "proper" decoded token interface via the default implementation. Yeah, it's returning an unencrypted plain token, but it's a bit weird that you can't simply force that.
I would like to propose a solution to this problem, just like there's a Token interface and UnencryptedToken interface, maybe let's have Parser and UencryptedParser interface? The default implementation could stay the same, the UnencryptedParser interface would simply add a new method - parseUnencrypted(string $jwt): UnencryptedToken or something like that.
There'd be no modification required on the Parser class, simply changing the interface and having both methods return the same object.
Feature release (minor)
lcobucci/clock:^3.0 to be installed with lcobucci/jwt:^4 thanks to @OcramiusThis release fixes a documentation mistake.
This release provides a high-level API, a new (non-standard) algorithm, and validation for key length requirements. The latter is a minor BC-break for users that aren't following the RFC recommendations.
To contain the impact of the changes and give time for people to rotate keys, we have deprecated implementations that maintain the previous behaviour and allow unsafe keys. For more information, please read the documentation.
::empty() factory method thanks to @Slamdunk789: Merge release 4.1.5 into 4.2.x thanks to @github-actions[bot]
704: Invalid signing with SHA256 alg using secp521r1 curve thanks to @KartaviK
This patch ships a minor security fix to prevent misuse of the LocalFileReference key.
More info: https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf
This patch ships a minor security fix to prevent misuse of the LocalFileReference key.
More info: More info: https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf
This patch ships a minor security fix to prevent misuse of the LocalFileReference key.
More info: More info: https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf
This release removes the possibility of having parsing issues when dealing with time-fractions with more than 6 decimal places.
This release removes the possibility of having parsing issues when dealing with time-fractions with more than 6 decimal places.
json_encode() to convert time fractions to microseconds cause precision issues thanks to @sachchida1993This release fixes a specification compatibility issue by making sure we use floats to represent time fractions.
This release fixes a specification compatibility issue by making sure we use floats to represent time fractions.
This release fixes the polyfill for sodium base64 encoding.
This release makes it possible to use the library when libsodium < 1.0.14 is installed.
This release fixes an issue with the compatibility layer that disallowed us to use composer's classmap-authoritative autoload.
This release fixes a gap on our forward compatibility layer with v4 for multiple audience support, improving the documentation to state how users can migrate their code.
This release provides a new algorithm (EdDSA over Curve25519) and a claim formatted that always uses integers for date claims.
This release fixes the validation logic of the expiration claim, making sure we're properly following the RFC.
@param annotation of OpenSSL#doVerify() thanks to @chalasrThis release fixes a bug and a BC-break introduced in v3.4.0.
This release ships several API improvements, making this lib much more extensible and easier to use. It requires PHP 7.4 and it's compatible with PHP 8.0 as well (the latest RC).
Please follow our upgrading guide to perform the necessary adjustments to your code.
ValidAt constraint thanks to @lcobucciThis release introduces a forward compatibility layer for the next major release (v4.0.0), guiding users to make their code compatible with both versions.
⚠ This version also triggers E_USER_DEPRECATED errors in scenarios where we can't simply use @deprecated. Please make sure you follow the provided instructions before upgrading your production code.
getPassphrase PHPDoc thanks to @SpomkyThis release provides a stable interface for our new major release (v4.0).
We now have a library ready for PHP 8.0, fully documented, and able to be more easily extended.
Please check our upgrading guide, test your code, and report any issue.
Attention: There are a few BC-breaks (when comparing to the previous alpha releases), so please check the change set (especially PRs 538 and 533).
Claim::getValue can return anything thanks to @carusogabriel
This version fixes the inconsistencies with the upcoming major release.
This version provides a major performance improvement for the ECDSA algorithm, making it compatible with PHP 7.1+ too. We're also starting to add deprecation notes and will soon backport things from v4.x to create an upgrade path.
README.md thanks to @msimion
This release fixes a compatibility issue introduced in v3.2.3.
JSON WEB TOKEN CON LARAVEL 8 Prueba de autenticación de usuarios con una API creada en Laravel 8 Simple, fast routing engine. License The Laravel fram
Credits This repository it a fork from original tymonsdesigns/jwt-auth, we decided to fork and work independent because the original one was not being
JWTRefreshTokenBundle The purpose of this bundle is manage refresh tokens with JWT (Json Web Tokens) in an easy way. This bundles uses LexikJWTAuthent
JSON Web Token (JWT) for webman plugin Json web token (JWT), 是为了在网络应用环境间传递声明而执行的一种基于JSON的开放标准((RFC 7519).该token被设计为紧凑且安全的,特别适用于分布式站点的单点登录(SSO)场景。
Bearer Minimalistic token-based authorization for Laravel API endpoints. Installation You can install the package via Composer: composer require ryang
lumen-passport Making Laravel Passport work with Lumen A simple service provider that makes Laravel Passport work with Lumen Dependencies PHP >= 5.6.3
Thruway is an open source client and router implementation of WAMP (Web Application Messaging Protocol), for PHP. Thruway uses an event-driven, non-blocking I/O model (reactphp), perfect for modern real-time applications.
Basic Authentication handler This plugin adds Basic Authentication to a WordPress site. Note that this plugin requires sending your username and passw
OpenID Connect Discovery support for League - OAuth 2.0 Client This library extends the League OAuth2 Client library to provide OpenID Connect Discove
Webi auth library Laravel web rest api authentication library. Install (laravel 9, php 8.1) First set your .env variables (mysql, smtp) and then compo
Hybridauth 3.7.1 Hybridauth enables developers to easily build social applications and tools to engage websites visitors and customers on a social lev
Sign-in with Apple SDK Installation Recommended and easiest way to installing library is through Composer. composer require azimolabs/apple-sign-in-ph
Introduction Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use. Official Documentation Documenta
Authentication and Authorization Library for CodeIgniter 4. This library provides an easy and simple way to create login, logout, and user registratio
Slim Auth is an authorization and authentication library for the Slim Framework. Authentication is provided by the Zend Framework Zend\Authentication component, and authorization by the Zend Framework Zend\Permissions\Acl component.
Rinvex Authy Rinvex Authy is a simple wrapper for Authy TOTP API, the best rated Two-Factor Authentication service for consumers, simplest 2fa Rest AP
Important: This package is not actively maintained. For bug fixes and new features, please fork. Eloquent OAuth Use the Laravel 4 wrapper for easy int
Introduction Laravel Sanctum provides a featherweight authentication system for SPAs and simple APIs. Official Documentation Documentation for Sanctum
Codeigniter 4 Authentication Login and Registration Example Checkout the step-by-step tutorial on: Codeigniter 4 Authentication Login and Registration
2 Oct 10, 2021
490 Dec 27, 2022
568 Dec 28, 2022
25 Dec 30, 2022
74 Jun 17, 2022
651 Dec 1, 2022
662 Jan 3, 2023
667 Dec 31, 2022
3 Jan 8, 2022
2 Nov 25, 2022
3.3k Dec 23, 2022
79 Nov 8, 2022
3.1k Dec 31, 2022
12 Oct 10, 2022
246 Dec 16, 2022
34 Feb 14, 2022
374 Dec 21, 2022
7 Jan 9, 2023