Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Sep 22 17:57
    lcobucci commented #786
  • Sep 22 17:57
    lcobucci closed #786
  • Sep 22 17:57
    lcobucci assigned #786
  • Sep 22 17:57
    lcobucci labeled #786
  • Sep 22 17:56
    lcobucci commented #786
  • Sep 22 14:37
    Patrick-Remy commented #786
  • Sep 22 14:36
    Patrick-Remy commented #786
  • Sep 22 14:35
    SvenRtbg commented #786
  • Sep 22 14:31
    Patrick-Remy opened #786
  • Sep 17 09:20
    Ocramius labeled #785
  • Sep 17 09:20
    Ocramius labeled #785
  • Sep 17 09:20
    Ocramius assigned #785
  • Sep 17 09:20
    Ocramius closed #785
  • Sep 17 09:20
    Ocramius commented #785
  • Sep 17 09:18
    llbgo opened #785
  • Sep 10 07:54
    lcobucci closed #783
  • Sep 10 07:54
    lcobucci locked #783
  • Sep 10 07:54
    lcobucci commented #783
  • Sep 10 06:38
    SvenRtbg commented #783
  • Sep 10 06:29
    sarfarazsavvy opened #783
Michael Glenn
@TheGlenn88_gitlab
hi anyone still here?
Luís Cobucci
@lcobucci
Sure... :)
doox911
@doox911
Hi. How validate signature?
doox911
@doox911
Разобрался спасибо.
Piotr Rybałtowski
@piotrek-r
Hey! I really like this library. I work a lot with JWTs and the lib is very helpful. I'm looking forward for the version 4. I know there's still no docs available but is there maybe some example code available? Or maybe some other library/project on github that already uses it and I could see how they use it? If not creating tokes, maybe just the verification part. Thanks!
Taner
@taneraruk_gitlab
Hi, I try to use jwt authentication, how can I avoid authentication for specific rest endpoints? I added @Secured("isAnonymous()") and Secured(SecurityRule.IS_ANONYMOUS) but i did not work. Where I am wrong? any idea?
Milos Novicevic
@milosnovi
hey there

@lcobucci use Lcobucci\JWT\Builder;

$token = (new Builder())->setIssuer('http://example.com') // Configures the issuer (iss claim)
->setAudience('http://example.org') // Configures the audience (aud claim)
->setId('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
->setIssuedAt(time()) // Configures the time that the token was issued (iat claim)
->setNotBefore(time() + 60) // Configures the time that the token can be used (nbf claim)
->setExpiration(time() + 3600) // Configures the expiration time of the token (exp claim)
->set('uid', 1) // Configures a new claim, called "uid"
->getToken(); // Retrieves the generated token

After i run this code and get token i paste this token here https://jwt.io/ debugger and i got the error " Invalid Signature"

After i keep debugging I got the error that my jwt needs to have 2 dots
although i generate one with Builder()
Do you have idea what we are doing wrong
Luís Cobucci
@lcobucci
Hey everyone, I'm terribly sorry about my delay to get back to you.
@piotrek-r I'm actually working on that right now :)
@taneraruk_gitlab sorry but that seems to be another library, this one does't have any annotation
@milosnovi you probably already solved this but you're not signing your token. Check https://github.com/lcobucci/jwt/blob/3.2/README.md#token-signature or https://github.com/lcobucci/jwt/blob/3.3/README.md#token-signature (in case you already migrated to v3.3)
flihub
@flihub
anyone here?
Luís Cobucci
@lcobucci
Yeap...
@flihub there's a delay, but we're here :smile:
flihub
@flihub
still:?
flihub
@flihub
i wrote to github. please answer. thank u:
Alek Salazar
@PenguinTamer
Greetings!
Anyone online and willing to help me w/ a weird error?
"message": "It was not possible to parse your key, reason: error:0909006C:PEM routines:get_name:no start line",
Luís Cobucci
@lcobucci
@PenguinTamer hey, glad to see you found the error on #310 and mentioned the resolution. Thanks :)
Alek Salazar
@PenguinTamer
@lcobucci Thank you! And i really like your library. Makes working w/ JWT easy!
Luís Cobucci
@lcobucci
It's really good to hear that, thanks!
Slope105
@Slope105
Hello php jwt community, I had a question about the installation. I cannot generate a token, as shown in the sample code from the documentation. It only works when I require the autoload.php like so:
require('C:/xampp/vendor/autoload.php');
use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Signer\Key;
use Lcobucci\JWT\Signer\Hmac\Sha256;
Is that how it is suppose to be?
Luís Cobucci
@lcobucci
@Slope105 that's correct, it's not mentioned in the docs because we assumed everyone was used to how composer works (which is possibly not very inclusive, sorry).
Slope105
@Slope105
@lcobucci Great thanks.
No problem. I should know how composer works. Thanks for the response.
Luís Cobucci
@lcobucci
:+1:
Rafael Mora
@titanve
Hello everyone! I'm using craftcms 3 with the plugin Craft JWT Auth which states: "The plugin will attempt to verify the token using the lcobucci/jwt package for PHP" the question is: do you know how do they work together? i mean lcobucci/jwt library and craftcms 3? Thank you.
Luís Cobucci
@lcobucci
Hello @titanve, unfortunately I'm not familiar with craftcms 3. However, after a quick look, it seems here lies your answer: https://github.com/edenspiekermann/craft-jwt-auth/blob/develop/src/services/JWT.php
Rafael Mora
@titanve
Hello @lcobucci thank you for the link it's very helpful. The thing is that how that it interacts because in NodeJS I have an express server using jsonwebtoken library and I can verify by a hash the password the user is sending and then generate the token and send it back and afterwards use the verify function in order to very all the upcoming transactions.
Rafael Mora
@titanve
image.png
Apparently is a TODO
Luís Cobucci
@lcobucci
Too bad. Although that might your chance to build it yourself and contribute to the craft-jwt-auth library :+1:
Hopefully, our docs should support you https://github.com/lcobucci/jwt/blob/3.3/README.md
Rafael Mora
@titanve
@lcobucci that's true! I'll try to do something with it
Roel
@roelzkie15
Hi gents, When is the recommended way to verify the token? in our program we have an endpoint which verify the token. So i used it every request to check token validity before proceeding to access protected resource on the server.
Luís Cobucci
@lcobucci
@roelzkie15 :wave:
That really depends on what you're using a JWT for :grimacing:
If you're using JWT for authentication, then I'd say you must always verify and validate. Otherwise, people might attack your system by tampering the token
Roel
@roelzkie15
@lcobucci nice one thanks for the pointer :rocket:
Luís Cobucci
@lcobucci
Glad to help :+1:
Everton da Silva
@evercan
Hello, I am some mistakes, <span style='background-color: #cc0000; color: #fce94f; font-size: x-large;'>( ! )</span> Fatal error:
Uncaught Zend\ServiceManager\Exception\ServiceNotFoundException: Unable to resolve service
"Lcobucci\JWT\Configuration" to a factory; are you certain you provided it during configuration? in
C:\xampp\htdocs\api\vendor\zendframework\zend-servicemanager\src\ServiceManager.php on line <i>687</i>
Luís Cobucci
@lcobucci
This looks like an integration of some tool to this lib... We don't provide any framework-related component
Luís Cobucci
@lcobucci
@evercan did you manage to solve the issue?
prudhvivijaykumar
@prudhvivijaykumar
Hi, While login I have generated JWT Token without expiration time. So while re-login with the same credentials then I want to destroy the previous token. Any solution.?
Luís Cobucci
@lcobucci

@prudhvivijaykumar that's a use-case for adding a storage layer to build a blacklist/whitelist of JTI (token identifiers) - I'd say a whitelist sounds more appropriate since you won't know which token to add to the blacklist when issuing a new one. You'd surely have to set the JTI on your tokens to be able to match things.

Bear in mind that not setting an expiration time may lead to security issues if the token gets stolen.