Download the PHP package kleijnweb/jwt-bundle without Composer
On this page you can find all versions of the php package kleijnweb/jwt-bundle. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download kleijnweb/jwt-bundle
More information about kleijnweb/jwt-bundle
Files in kleijnweb/jwt-bundle
Package jwt-bundle
Short Description Symfony JWT authentication with support for asymmetric keys and externally loaded secrets
License LGPL-3.0
Informations about the package jwt-bundle
This project is no longer maintained
KleijnWeb\JwtBundle
Integrate JWT API tokens for authentication.
Go to the release page to find details about the latest release.
For an example see swagger-bundle-example.
NOTE: Looking for PHP <7.0 and Symfony <2.8.7 support? Use a 0.x version.
Install
Install using composer (composer require kleijnweb/jwt-bundle
). You want to check out the release page to ensure you are getting what you want and optionally verify your download.
Authentication
The token is validated using standard (reserved) JWT claims:
Name | Type | Description |
---|---|---|
exp |
int [1] | Expiration time must be omitted [3] or be smaller than time() + leeway [2]. |
nbf |
int [1] | "Not before", token validity start time, must be omitted [3] or greater than or equal to time() - leeway [2]. |
iat |
int [1] | The time the token was issued, must be omitted [3] or smaller than configured minIssueTime + leeway . Required when minIssueTime configured. |
iss |
string | Issuer of the token, must match configured issuer . Required when issuer configured. |
aud |
string | JWT "audience", must be omitted [3] or match configured audience if configured. Required when audience configured. |
sub |
string | JWT "subject". Used as username for Symfony Security integration. Always required (or its alias), without it the "Resource Owner cannot be identified. |
prn |
string | JWT "principle". Deprecated alias for sub , used in older versions of the JWT RFC. |
jti |
string | JWT "ID". Not used, will be ignored. |
typ |
string | Not used, will be ignored. |
- [1] Unix time
- [2] The
leeway
allows a difference in seconds between the issuer of the token and the server running your app with JwtBundle. Keep at a low number, defaults to 0. - [3] Mark any claim required, including custom (non-reserved) ones, using the
require
configuration option.
All other claims encountered are ignored. The JWT header is checked for kid
(see below) and alg
, which must match the type
value of the key configuration.
Keys
The authenticator supports multiple keys, and allows all options to be configured per kid
(key ID, which must be included in the JWT header when more than 1 key is configured):
JwtBundle and the issuer must share a secret in order for JwtBundle to be able to verify tokens. You can choose between a pre shared key (PSK) or asymmetric keys.
To use asymmetric keys, type
MUST be set to RS256
or RS512
. The secret in this case is the public key of the issuer.
Loading Secrets From An External Source
Instead of configuring secrets statically, they can also be loaded dynamically, using any data available in the JWT token. Example configuration:
The loader must implement KleijnWeb\JwtBundle\Authenticator\SecretLoader
. A simple example that loads the secret from an ambiguous data store:
You could use any information available in the token, such as the kid
, alg
or any custom claims. You cannot configure both secret
and loader
. Be sure to throw an AuthenticationException
when appropriate (eg missing claims needed for loading secret).
Integration Into Symfony Security
Synopsis:
Using the bundled user provider is optional. This will produce user objects from the token data alone with roles produced from the aud
claim (and IS_AUTHENTICATED_FULLY
whether aud
was set or not).
Assigning audience to user roles using an alternate UserProvider
JwtBundle can assign the audience claims in the JwtToken to the User objects user roles properties. Ideally, this is done in the UserProvider, so that the groups cannot be modified.
If this is an acceptable risk, you do not want to use JwtUser/JwtUserProvider, but do want JwtBundle to copy aud
claims to user roles, you can have your User class implement the KleijnWeb\JwtBundle\User\UnsafeGroupsUserInterface
interface, and JwtBundle will add the roles after the user is loaded from the provider.
This behavior may be removed in future versions.
NOTE: This function only copies the the roles from the token.
Issuing Token
Issuing tokens is currently limited to HS256
. To create a token string:
License
KleijnWeb\JwtBundle is made available under the terms of the LGPL, version 3.0.
All versions of jwt-bundle with dependencies
symfony/dependency-injection Version >=2.8.30
symfony/config Version >=2.8.30
symfony/event-dispatcher Version >=2.8.30
symfony/http-foundation Version >=2.8.30
symfony/http-kernel Version >=2.8.30
symfony/security Version >=2.8.30
symfony/yaml Version >=2.8.30
symfony/finder Version >=2.8.30
symfony/security-bundle Version >=2.8.30
symfony/var-dumper Version >=2.8.30