Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Oct 05 09:35
    lcobucci locked #793
  • Oct 05 09:35
    lcobucci commented #793
  • Oct 05 08:10
    ionics closed #793
  • Oct 05 08:10
    ionics commented #793
  • Oct 05 07:57
    SvenRtbg commented #793
  • Oct 05 07:51
    SvenRtbg commented #793
  • Oct 05 07:29
    ionics opened #793
  • Oct 01 06:07

    github-actions[bot] on 4.2.x

    Bump shivammathur/setup-php fro… Bump shivammathur/setup-php fro… (compare)

  • Oct 01 06:07

    github-actions[bot] on github_actions

    (compare)

  • Oct 01 06:07
    github-actions[bot] closed #791
  • Oct 01 06:05
    dependabot[bot] synchronize #791
  • Oct 01 06:05

    dependabot[bot] on github_actions

    Bump shivammathur/setup-php fro… (compare)

  • Oct 01 06:05
    dependabot[bot] edited #791
  • Oct 01 06:05
    dependabot[bot] edited #791
  • Oct 01 06:04

    github-actions[bot] on 4.2.x

    Bump ridedott/merge-me-action f… Bump ridedott/merge-me-action f… (compare)

  • Oct 01 06:04

    github-actions[bot] on github_actions

    (compare)

  • Oct 01 06:04
    github-actions[bot] closed #792
  • Oct 01 06:03
    dependabot[bot] synchronize #791
  • Oct 01 06:03
    dependabot[bot] synchronize #792
  • Oct 01 06:03

    dependabot[bot] on github_actions

    Bump ridedott/merge-me-action f… (compare)

johnrhunt
@johnrhunt
not yet, but I might do soon.. it's very, very odd behaviour. We have the same code deployed on two of our other production environments and it behaves as expected.. currently in the investigation phase but it's a bit complex as only our ops guys can do stuff on those envs
Andrei Dascalu
@andrei-dascalu
hello! is there someone who can help a dumb beginner? With v4 I need to parse & validate a token that was signed with a private key. I have the public key, but I don't see how I can create a config with just a public key?
johnrhunt
@johnrhunt
there's two different ways of signing tokens.. one is using a public key, the other is using a private key.. I think this commonly this is RS256 and HS256
two different ways I know of anyway.. you can probably do something with certificates too
Daniel Strøm
@Danielss89
Hello. I creating a sign-in flow with azure active directory, and i'm getting a jwt back. I can't seem to figure out how to parse/validate a token from 3rd party? I would only need azures public key for this, but as i read in the docs, i always need to pass a private key to the config object too?
Luís Cobucci
@lcobucci
max-php
@max-php:matrix.org
[m]
Hello
i am trying to make sound when database row will uptade
can you help me?
fdsgsven
@fdsgsven
Hi,
i have a question: I cretae a JWT with iat an DateTimeImmutable Object providing a certain timezone: new DateTimeZone('Europe/Berlin')
That is also visible if i dump the token object. But if i converti it to string and read it out the TZ is gone. Is this an expected behaviour?
Luís Cobucci
@lcobucci
@fdsgsven that's indeed expected because we use timestamps for the token (and they're always in UTC). If you add the timezone to the object, you'll have the local time converted to the correct time.
fdsgsven
@fdsgsven
@lcobucci Thank you for clarification.
Another question: I want to validate and external verified token. "Configuration::forAsymmetricSigner" want me to have a private key which i will never have. What would be the best practice to validate such a token? (i could generate a dummy private key but doesn't feel right)
Luís Cobucci
@lcobucci
Yassine Rais
@yassinrais
@max-php:matrix.org hey, you are posting in the wrong group, this is only for the lcobucci/jwt library , also your question is not a general question its a complex full steps to do, and you should have at least basic of php before you are trying to make it, no one will help you in that case ! facts\
fdsgsven
@fdsgsven
Ok that answers my question perfectly. Thank you @lcobucci
Josh Lewis!
@joshlewis

Hey all. I'm trying to use the lcobucci/jwt library to verify a JWT given by Amazon Cognito.

I believe this is the type of token that is supposed to be verified only using the public key without access to the private key, but I'm not totally sure of that. I'm not trying to create a JWT, only to verify one.

Regardless, Cognito has something they call a "public JSON Web Key". Does lcobucci/jwt work with JWKs? I don't see any reference to them in the documentation.

Here's an example of a JWK: https://www.gstatic.com/iap/verify/public_key-jwk It's probably more correct to say that's a set of them, not just one.
Josh Lewis!
@joshlewis
You know, I think https://github.com/lcobucci/jwt/discussions/720 might actually answer part of my question too. :D
Luís Cobucci
@lcobucci
Hey @joshlewis 👋 we don't yet support JWKs but there are tools you can use to convert a JWK into a PEM certificate or the key you need to pass to the lib
stephaneThannio
@stephaneThannio
Hello all how to declare $container with this project?
Thanks a lot
Luís Cobucci
@lcobucci
@stephaneThannio it does not. Perhaps you've missed the note at the top of page (eg https://lcobucci-jwt.readthedocs.io/en/stable/issuing-tokens/)
The examples here fetch the configuration object from a hypothetical dependency injection container. You can create it in the same script or require it from a different file. It basically depends on how your system is bootstrapped.
Constantinos Sergiou
@constantinosergiou
Hello all
i have this issue Class 'App\Http\Controllers\Lcobucci\JWT\Signer\Hmac\Sha256' not found
Constantinos Sergiou
@constantinosergiou
fixed :)
Mohinish Sharma
@mohinishsharma
Hi all,
im trying to use this lib with lumen and im getting Target [Lcobucci\JWT\Configuration] is not instantiable.
can anyone help me out in this?
Luís Cobucci
@lcobucci
@mohinishsharma check which version of the library is installed on your project. That class only exists on v3.4+
Rose Riyadh
@RoseRiyadh
hello, I'm trying to get my laravel project upgraded from 5.8 up to 8 to have sign in with apple, I'm getting this error Class 'Lcobucci\JWT\Validation\Constraint\LooseValidAt' not found
what should I do?
@lcobucci
Marco Pivetta
@Ocramius
Sounds like the dependency to lcobucci/jwt is broken in your project. LooseValidAt exists in 4.2.x: https://github.com/lcobucci/jwt/blob/a8acedb920bb48de30bad1aa9e6d242903ecd693/src/Validation/Constraint/LooseValidAt.php#L13 . It does not exist in 3.x, so your dependency got upgraded, probably because a laravel component did not declare compatibility with 3.x specifically.
ah, sorry, the opposite
code needs 4.x code, but you are using 3.x
Rose Riyadh
@RoseRiyadh
@Ocramius so I should update my lcobucci to ^4
@Ocramius it's locked on 4.1.4
Rose Riyadh
@RoseRiyadh
@Ocramius i did it and it worked, thank you so much!
Ashish Vinayak
@ashishvinayak
JWT expires automatically before expiresAt('8 hour'). I am unable to understand why. I found a related issue at lcobucci/jwt#622, yet I am still unsure if my validation is correct. I've posted my code below. Could someone please help me?
private function issue($user){
    $config = $GLOBALS["tokenConfig"];           
    assert ($config instanceof Configuration);

    $now = new DateTimeImmutable();
    $this->token = $config->builder()    
            // sub
            ->relatedTo($user->user_id)
            // issue by
            ->issuedBy("https://testpage.com/")
            // iat
            ->issuedAt($now)
            // jwt expire
            ->expiresAt($now->modify('8 hour'))
            // builds a new token
            ->getToken($config->signer(), $config->signingKey());
}private function Validator(string $cookie){
/**
 * Validate token string
 */
    $config = $GLOBALS["tokenConfig"];
    assert ($config instanceof Configuration);
    // parse token
    try {
        $token = $config->parser()->parse($cookie);
    }
    catch (\Exception $e){
        return false;
    }
    assert ($token instanceof UnencryptedToken);
    // 
    $constraints = $config->validationConstraints();        
    // validate
    try {
        $config->validator()->assert($token, ...$constraints);
    }
    catch (RequiredConstraintsViolated $e) {
        return false;
    }
    return true;
}
Ashish Vinayak
@ashishvinayak
@lcobucci Any suggestions?
Luís Cobucci
@lcobucci
@ashishvinayak we'd need to see a sample token and the list of constraints you're using.
11 replies
Also, if you just need to return a boolean result, I'd suggest using Validator#validate()
Anton Smirnov
@sandfox_gitlab
Greetings
How to submit security issues, well, securely?
Marco Pivetta
@Ocramius
@sandfox_gitlab would say email - lcobucci AT gmail
Or ocramius AT gmail
Anton Smirnov
@sandfox_gitlab
Thank you
R. Mohammad
@rmohammad25
@lcobucci Good morning. I follow the steps on issuing token and etc ( which is working fine ) . My question i have is why its not all random ( only the first part and second ) see image ? sorry newbie here.
Luís Cobucci
@lcobucci
@rmohammad25 it's because of JWTs' structure. I believe those are two different tokens with almost same claims (probably time difference only). Which means that the encoded headers and claims are essentially the same.
R. Mohammad
@rmohammad25
Thanks @lcobucci .