Security Defense for Firebase's PHP-JWT Library

Paragon Initiative Enterprises

Last update: Nov 27, 2022

Related tags

Authentication and Authorization php-jwt-guard

Overview

PHP-JWT-Guard

Protect your code from being impacted by issue 351 in firebase/php-jwt.

Installation

First, install this library with Composer:

composer require paragonie/php-jwt-guard

And then in your PHP namespace imports, swap the namespace:

- use Firebase\JWT\JWT;
+ use ParagonIE\PhpJwtGuard\JWT;

You're no longer going to provide an array or ArrayAccess object to JWT. You will instead need to use the provided KeyRing class.

<?php
use ParagonIE\PhpJwtGuard\KeyRing;
use ParagonIE\PhpJwtGuard\JWT;

// Setup keyring:
$keyring = (new KeyRing())
    ->withHS256('key-id-foo', 'raw-key-data-goes-here')
    ->withHS384('key-id-bar', 'raw-key-data-goes-here-too')
    // ...
    ->withPS384('key-id-xyzzy', 'raw-key-data-goes-here-too')
    ->withPS512('key-id-thud', 'raw-key-data-goes-here-too');

// Pass it to JWT Dcode:
JWT::decode($jwt, $keyring, array($allowedAlgs));

Using the KeyRing class

KeyRing->with($alg, $keyId, $rawKeyData)

Parameters:

string $alg - The algorithm this key is intended for
string $keyId - The kid header that maps to this key
string $rawKeyData - The actual key material. For asymmetric keys, this is usually PEM-encoded.

Returns the KeyRing object. Chainable.

KeyRing->count()

Returns an integer.

KeyRing->partition($alg)

Parameters:

string $alg - The algorithm this key is intended for

Returns a new KeyRing object with a subset of all supported keys.

You might also like...

Sistema de Administrativo - Cliente e Vendedor - Autenticação JWT e Relacionamentos BD

Hi there, My name is ATTILA SAMUELL TABORY, I love technology 👋 Sistema Administrativo Laravel e Vue JS - JWT e Relacionamentos BD Sistema Administra

7 May 9, 2022

Aplicação criada com Slim Framework com objetivo de criar autenticação com JWT e aprender sobre o framework Slim

Slim JWT App Essa aplicação tem como foco o aprendizado do Framework Slim e também a utilização de JWT. Como rodar a Aplicação A aplicação está config

9 Oct 4, 2022

JWT Authenticator for symfony

HalloVerdenJwtAuthenticatorBundle This bundle provides a JWT authenticator for Symfony applications. It's using PHP JWT Framework for parsing and vali

0 Jul 8, 2022

User registration and login form with validations and escapes for total security made with PHP.

Login and Sign Up with PHP User registration and login form with validations and escapes for total security made with PHP. Validations Required fields

2 Jan 26, 2022

Learn Cookies and Tokens Security in Practice.

The full article is posted on my blog. The video presentation is shared here. The presentation slides are shared here. The exploit codes are shared he

38 Aug 28, 2022

A package that allows secure communication between two or more projects, focused mainly for use in microservices architectures, adding the Oauth2 authorization standard in addition to security at the network level by IP addresses and whitelists, which may already be owned.

OAuth2 between Laravel projects A package that allows secure communication between two or more projects, focused mainly for use in microservices archi

6 Aug 30, 2022

This system will provide security and comfortable opportunities to protect your gaming account.

VK Security – Auth system VK Security provides the ability to use game authorization inside in conjunction with the official VKontakte groups. Conveni

4 Dec 21, 2022

PASETO: Platform-Agnostic Security Tokens

PASETO: Platform-Agnostic Security Tokens Paseto is everything you love about JOSE (JWT, JWE, JWS) without any of the many design deficits that plague

3.1k Dec 27, 2022

This library extends the 'League OAuth2 Client' library to provide OpenID Connect Discovery support for supporting providers that expose a .well-known configuration endpoint.

OpenID Connect Discovery support for League - OAuth 2.0 Client This library extends the League OAuth2 Client library to provide OpenID Connect Discove

3 Jan 8, 2022

Comments

Still vulnerable with multiple allowed algorithms

Maybe I'm missing something obvious, but I tried your library and it is still vulnerable to type confusion when using multiple allowed algorithms (i.e. your first example in https://github.com/firebase/php-jwt/issues/351).

Furthermore your JWT::encode function has two problems:

Encode does not work when you supply a keyring (keyId check is wrong)
PHPDoc parameters are wrong for $key, $keyId and $head

Consider this test case:

<?php

use ParagonIE\PhpJwtGuard\JWT;
use ParagonIE\PhpJwtGuard\KeyRing;
use PHPUnit\Framework\TestCase;

class JWTTest extends TestCase
{
    public function testConfusion(): void
    {
        $hsKey = hash('sha256', 'phpunit-test-key-for-issue-351');

        $esPubkey = <<<END
            -----BEGIN PUBLIC KEY-----
            MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9
            q9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==
            -----END PUBLIC KEY-----
            END;

        $keyring = new KeyRing();
        $keyring->with('HS256', 'foo', $hsKey);
        $keyring->with('ES256', 'bar', $esPubkey);

        $payload = ['sub' => 'phpunit'];
        $token = JWT::encode($payload, $esPubkey, 'HS256', 'bar'); // wrong algo

        $fail = false;
        try {
            JWT::decode($token, $keyring, ['HS256', 'ES256']);
            $fail = true;
        } catch (UnexpectedValueException $ex) {
        }
        $this->assertFalse($fail, 'Expected an exception');
    }

    public function testEncode(): void
    {
        $keyring = new KeyRing();
        $keyring->with('HS256', 'foo', hash('sha256', 'phpunit-test-key-for-issue-351'));

        $payload = ['sub' => 'phpunit'];
        JWT::encode($payload, $keyring, 'HS256', 'foo'); // should not throw exception
    }
}

opened by cschomburg 3

Releases(v0.3.0)

v0.3.0(Aug 11, 2021)

Fixes #1. Thanks @cschomburg for suggesting we go even further to protect users from misuse.
Source code(tar.gz)
Source code(zip)
v0.2.0(Aug 11, 2021)
UX and documentation improvements

Source code(tar.gz)
Source code(zip)

Owner

Paragon Initiative Enterprises

Technology should support your ambitions, not hinder them. We are a team of technology consultants that specialize in application security.

GitHub

Simple JWT Auth support for Laravel PHP Framework

Laravel JWT Simple JWT Auth for Laravel PHP Framework using Firebase JWT under the hood. Installation Standard Composer package installation: composer

34 Nov 21, 2022

PHP package for JWT

PHP-JWT A simple library to encode and decode JSON Web Tokens (JWT) in PHP, conforming to RFC 7519. Installation Use composer to manage your dependenc