Download the PHP package danielmmf/yii2-jwt without Composer
On this page you can find all versions of the php package danielmmf/yii2-jwt. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Informations about the package yii2-jwt
Yii2 JWT
This extension provides the JWT integration for the Yii framework 2.0 (requires PHP 5.6+). It includes basic HTTP authentication support.
Table of contents
- Installation
- Dependencies
- Basic usage
- Creating
- Parsing from strings
- Validating
- Token signature
- Hmac
- RSA and ECDSA
- Yii2 basic template example
Installation
Package is available on Packagist, you can install it using Composer.
Dependencies
- PHP 5.6+
- OpenSSL Extension
- lcobucci/jwt 3.3
Basic usage
Add jwt
component to your configuration file,
Configure the authenticator
behavior as follows.
Also you can use it with CompositeAuth
reffer to a doc.
Creating
Some methods marked as deprecated and will soon backport things from lcobucci/jwt 4.x to create an upgrade path.
Just use the builder to create a new JWT/JWS tokens:
Parsing from strings
Use the parser to create a new token from a JWT string (using the previous token as example):
Validating
We can easily validate if the token is valid (using the previous token as example):
We can also use the $leeway parameter to deal with clock skew (see notes below). If token's claimed time is invalid but the difference between that and the validation time is less than $leeway, then token is still considered valid
Important
- You have to configure
ValidationData
informing all claims you want to validate the token. - If
ValidationData
contains claims that are not being used in token or token has claims that are not configured inValidationData
they will be ignored byToken::validate()
. exp
,nbf
andiat
claims are configured by default inValidationData::__construct()
with the current UNIX time (time()
).- The optional
$leeway
parameter ofValidationData
will cause us to use that number of seconds of leeway when validating the time-based claims, pretending we are further in the future for the "Issued At" (iat
) and "Not Before" (nbf
) claims and pretending we are further in the past for the "Expiration Time" (exp
) claim. This allows for situations where the clock of the issuing server has a different time than the clock of the verifying server, as mentioned in section 4.1 of RFC 7519.
Token signature
We can use signatures to be able to verify if the token was not modified after its generation. This extension implements Hmac, RSA and ECDSA signatures (using 256, 384 and 512).
Important
Do not allow the string sent to the Parser to dictate which signature algorithm to use, or else your application will be vulnerable to a critical JWT security vulnerability.
The examples below are safe because the choice in Signer
is hard-coded and cannot be influenced by malicious users.
Hmac
Hmac signatures are really simple to be used:
RSA and ECDSA
RSA and ECDSA signatures are based on public and private keys so you have to generate using the private key and verify using the public key:
It's important to say that if you're using RSA keys you shouldn't invoke ECDSA signers (and vice-versa), otherwise and will raise an exception!
Yii2 basic template example
Basic scheme
- Client send credentials. For example, login + password
- Backend validate them
- If credentials is valid client receive token
- Client store token for the future requests
Step-by-step usage example
-
Create Yii2 application
In this example we will use basic template, but you can use advanced template in the same way.
-
Install component
-
Add to config/web.php into
components
section -
Create JwtValidationData class. Where you have to configure ValidationData informing all claims you want to validate the token.
-
Change method
app\models\User::findIdentityByAccessToken()
-
Create controller
-
Send simple login request to get token. Here we does not send any credentials to simplify example. As we specify in
authenticator
behavior actionlogin
as optional theauthenticator
skip auth check for that action. -
First of all we try to send request to rest/data without token and getting error
Unauthorized
- Then we retry request but already adding
Authorization
header with our token