Download the PHP package yzh52521/yii2-jwt without Composer

Yii2 JWT

This extension provides the JWT integration for the Yii framework 2.0 (requires PHP 5.6+). It includes basic HTTP authentication support.

Table of contents

1. Installation
2. Dependencies
3. Basic usage
   1. Creating
   2. Parsing from strings
   3. Validating
4. Token signature
   1. Hmac
   2. RSA and ECDSA
5. Yii2 basic template example

Installation

Package is available on Packagist, you can install it using Composer.

Dependencies

• PHP 5.6+
• OpenSSL Extension
• lcobucci/jwt 3.3

Basic usage

Add jwt component to your configuration file,

Configure the authenticator behavior as follows.

Also, you can use it with CompositeAuth refer to a doc.

Creating

Just use the builder to create a new JWT/JWS tokens:

Parsing from strings

Use the parser to create a new token from a JWT string (using the previous token as example):

Validating

We can easily validate if the token is valid (using the previous token as example):

Available constraints

• \Lcobucci\JWT\Validation\Constraint\IdentifiedBy: verifies if the claim jti matches the expected value
• \Lcobucci\JWT\Validation\Constraint\IssuedBy: verifies if the claim iss is listed as expected values
• \Lcobucci\JWT\Validation\Constraint\PermittedFor: verifies if the claim aud contains the expected value
• \Lcobucci\JWT\Validation\Constraint\RelatedTo: verifies if the claim sub matches the expected value
• \Lcobucci\JWT\Validation\Constraint\SignedWith: verifies if the token was signed with the expected signer and key
• \Lcobucci\JWT\Validation\Constraint\StrictValidAt: verifies presence and validity of the claims iat, nbf, and exp (supports leeway configuration)
• \Lcobucci\JWT\Validation\Constraint\LooseValidAt: verifies the claims iat, nbf, and exp, when present (supports leeway configuration)
• \Lcobucci\JWT\Validation\Constraint\HasClaimWithValue: verifies that a custom claim has the expected value (not recommended when comparing cryptographic hashes)

Important

• You have to configure \yzh52521\jwt\Jwt::$constraints informing all claims you want to validate the token by Yii::$app->jwt->loadToken(), this method also called inside \sizeg\jwt\JwtHttpBearerAuth.

Token signature

We can use signatures to be able to verify if the token was not modified after its generation. This extension implements Hmac, RSA and ECDSA signatures (using 256, 384 and 512).

Important

Do not allow the string sent to the Parser to dictate which signature algorithm to use, or else your application will be vulnerable to a critical JWT security vulnerability.

The examples below are safe because the choice in Signer is hard-coded and cannot be influenced by malicious users.

Hmac

Hmac signatures are really simple to be used.

You may configure component:

RSA and ECDSA

RSA and ECDSA signatures are based on public and private keys so you have to generate using the private key and verify using the public key:

It's important to say that if you're using RSA keys you shouldn't invoke ECDSA signers (and vice-versa), otherwise and will raise an exception!

Yii2 basic template example

Basic scheme

1. Client send credentials. For example, login + password
2. Backend validate them
3. If credentials is valid client receive token
4. Client store token for the future requests

Step-by-step usage example

1. Create Yii2 application

   In this example we will use basic template, but you can use advanced template in the same way.

2. Install component

3. Add to config/web.php into components section

4. Change method app\models\User::findIdentityByAccessToken()

5. Create controller

6. Send simple login request to get token. Here we does not send any credentials to simplify example. As we specify in authenticator behavior action login as optional the authenticator skip auth check for that action.

7. First of all we try to send request to rest/data without token and getting error Unauthorized

8. Then we retry request but already adding Authorization header with our token