Download the PHP package rafalswierczek/jwt without Composer
On this page you can find all versions of the php package rafalswierczek/jwt. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Please rate this library. Is it a good library?
Informations about the package jwt
Simple JWS authentication codebase
Take total control over JWS authentication with help of this repository.
Installation:
composer require rafalswierczek/jwt
Usage
Remember that this library is a code base so treat it as your source code. Be aware of exceptions defined in the contract, catch them.
Nothing will work unless you have 100% awareness of the whole architecture you want to implement.
SYMMETRIC SIGNATURE SYSTEM:
- Keep your JWS secret very safely and share it between applications to let one JWS be used to authenticate with multiple applications. This is pretty much the only reason to use JWT system at all.
-
In authentication server or auth module in monolith:
- Create your own endpoint that will check user credentials and return generated JWS in successful response.
- Create your own instances of
JWSIssuerInterface
,JWSHeader
andJWSPayload
and generate new JWS that should be returned in auth endpoint. - Create your own instance of
RefreshTokenProviderInterface
and generate new refresh token that should be returned together with JWS. - You MUST have 1 unique secret key per 1 refresh token. Store both in a table as unique index. If refresh token get hacked or someone using it should be banned then you cannot do anything by definition of JWT system. The only way to handle this situation is to invalidate secret key associated with refresh token in such table to prevent user from generating new JWS that should be valid for 3~15 minutes depending on security measures.
- In every application that matches the audience:
- Create your own authenticator and from there use your instance of
JWSVerifierInterface
to verify JWS from request header. - If JWS is expired (
JWSHasExpiredException
) try to request your auth server to generate new JWS using current refresh token. Return 403. JWSCompromisedSignatureException
is a red flag, most likely an attack or bug. Log it as error or alert and return 403.CannotMatchAudienceException
Might be the problem with old domain name or the JWS is just not meant to be used for this specific application. Log it as warning and return 403.- If the refresh token is not valid, log off the user and force him to log in (auth server endpoint) using whatever credentials you use.
- Create your own authenticator and from there use your instance of
All versions of jwt with dependencies
PHP Build Version
Package Version
Requires
php Version
8.3.*
The package rafalswierczek/jwt contains the following files
Loading the files please wait ....