composer require webdevcave/jwt
| Algorithm | Version |
|---|---|
| HS256 | 1.0 |
| HS384 | 1.0 |
| HS512 | 1.0 |
| RS256 | 1.1 |
| RS384 | 1.1 |
| RS512 | 1.1 |
| Claim | Version | Description | RFC |
|---|---|---|---|
| aud | 1.1 | Audience | https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3 |
| exp | 1.0 | Expiration time (timestamp) | https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4 |
| iss | 1.1 | Issuer | https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1 |
| nbf | 1.0 | Not before (timestamp) | https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5 |
| sub | 1.1 | Subject | https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2 |
- "typ" claim is defined as JWT by default.
- "iat" and "nbf" claims are starts with the current timestamp by default.
- "jti" validator isn't provided but it can be implemented by your application as presented in "Validating your private claims" section
<?php
use Webdevcave\Jwt\Token;
use Webdevcave\Jwt\SignerFactory;
use \Webdevcave\Jwt\Secrets\HsSecret;
$secret = new HsSecret('your_secret_here');
$token = Token::create()
->withSigner(SignerFactory::build('HS256')) //HS256 signer is provided by default. This could be omitted
->with('exp', strtotime('+ 1 hour')) //Expires in one hour
->sign($secret)
->toString();<?php
use Webdevcave\Jwt\Token;
$token = Token::fromString('xxxx.yyyyy.zzzzz');
$isValid = $token->validate($secret);
if ($isValid) {
$payload = $token->getPayload();
$headers = $token->getHeaders();
}First of all, you will need a public/private key pair. If you don't have one, you can generate it easily at the following page: https://cryptotools.net/rsagen
With your public/private key pair in hand, the process will be similar to the hmac tokens in the above example:
<?php
use Webdevcave\Jwt\Token;
use Webdevcave\Jwt\SignerFactory;
use \Webdevcave\Jwt\Secrets\RsSecret;
$secret = new RsSecret('private_key', 'public_key');
//Generate a token string
$tokenString = Token::create()
->withSigner(SignerFactory::build('RS256'))
->with('exp', strtotime('+ 1 hour')) //Expires in one hour
->sign($secret)
->toString();
//Validating...
$token = Token::fromString($tokenString);
if ($token->validate($secret)) {
//token is valid...
$creationDate = date(DATE_RFC3339, $token->getPayload('iat'));
$expirationDate = date(DATE_RFC3339, $token->getPayload('exp'));
echo "Your token was created at $creationDate.";
echo "It will expire at $expirationDate.";
}First you have to create your validator
use \Webdevcave\Jwt\Validator\Validator;
class MyClaimValidator extends Validator {
/**
* @return string
*/
public function validates() : string
{
return 'my-claim'; //this will validate value inside 'my-claim', when set
}
/**
* @param mixed $value
* @return bool
*/
public function validate(mixed $value) : bool
{
// this claim must contain value 'a', 'b' or 'c'
$valid = in_array($value, ['a', 'b', 'c']);
return $valid;
}
}Then all you have to do is assign your validator before running validate() method
<?php
use Webdevcave\Jwt\Token;
$token = Token::fromString('xxxx.yyyyy.zzzzz')
->assignValidator(new MyClaimValidator());
$isValid = $token->validate($mySecret);
if ($isValid) {
$myClaim = $token->getPayload('my-claim');
}You can get an Token instance directly from the Authorization header or through a query parameter with the following methods:
use Webdevcave\Jwt\Token;
//Load from authorization bearer
$token1 = Token::fromAuthorizationBearer();
//Load from get parameters
$token2 = Token::fromQueryString('token');
$token3 = Token::fromQueryString('token2');Contributions are welcome! If you find any issues or have suggestions for improvements, please open an issue or a pull request on GitHub.
This project is licensed under the MIT License - see the LICENSE file for details.
Original project can be found here