Where communities thrive

Join over 1.5M+ people
Join over 100K+ communities
Free without limits
Create your own community

Explore more communities

lcobucci/jwt

A simple library to work with JSON Web Token and JSON Web Signature

People

Repo info

Activity

Jan 14 22:45

khorsky commented #631
Jan 14 22:11

Ocramius commented #631
Jan 14 22:03

Ocramius labeled #631
Jan 14 22:03

Ocramius assigned #631
Jan 14 22:03

Ocramius closed #631
Jan 14 22:03

Ocramius commented #631
Jan 14 22:02

khorsky opened #631
Jan 14 17:59

SvenRtbg commented #630
Jan 14 17:53

SvenRtbg synchronize #630
Jan 14 17:51

SvenRtbg synchronize #630
Jan 14 17:48

SvenRtbg synchronize #630
Jan 14 17:42

SvenRtbg opened #630
Jan 13 21:08

SvenRtbg commented #629
Jan 13 20:24

lcobucci commented #629
Jan 13 19:15

SvenRtbg commented #629
Jan 13 19:03

lcobucci commented #629
Jan 13 19:00

lcobucci commented #622
Jan 13 16:23

vudaltsov commented #622
Jan 13 15:02

SvenRtbg commented #629
Jan 13 15:01

SvenRtbg opened #629

Michael Glenn

@TheGlenn88_gitlab

hi anyone still here?

Luís Cobucci

@lcobucci

Sure... :)

doox911

@doox911

Hi. How validate signature?

doox911

@doox911

Разобрался спасибо.

Piotr Rybałtowski

@piotrek-r

Hey! I really like this library. I work a lot with JWTs and the lib is very helpful. I'm looking forward for the version 4. I know there's still no docs available but is there maybe some example code available? Or maybe some other library/project on github that already uses it and I could see how they use it? If not creating tokes, maybe just the verification part. Thanks!

Taner

@taneraruk_gitlab

Hi, I try to use jwt authentication, how can I avoid authentication for specific rest endpoints? I added @Secured("isAnonymous()") and Secured(SecurityRule.IS_ANONYMOUS) but i did not work. Where I am wrong? any idea?

Milos Novicevic

@milosnovi

hey there

@lcobucci use Lcobucci\JWT\Builder;

$token = (new Builder())->setIssuer('http://example.com') // Configures the issuer (iss claim)
->setAudience('http://example.org') // Configures the audience (aud claim)
->setId('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
->setIssuedAt(time()) // Configures the time that the token was issued (iat claim)
->setNotBefore(time() + 60) // Configures the time that the token can be used (nbf claim)
->setExpiration(time() + 3600) // Configures the expiration time of the token (exp claim)
->set('uid', 1) // Configures a new claim, called "uid"
->getToken(); // Retrieves the generated token

After i run this code and get token i paste this token here https://jwt.io/ debugger and i got the error " Invalid Signature"

After i keep debugging I got the error that my jwt needs to have 2 dots

although i generate one with Builder()

Do you have idea what we are doing wrong

Luís Cobucci

@lcobucci

Hey everyone, I'm terribly sorry about my delay to get back to you.

@piotrek-r I'm actually working on that right now :)

@taneraruk_gitlab sorry but that seems to be another library, this one does't have any annotation

@milosnovi you probably already solved this but you're not signing your token. Check https://github.com/lcobucci/jwt/blob/3.2/README.md#token-signature or https://github.com/lcobucci/jwt/blob/3.3/README.md#token-signature (in case you already migrated to v3.3)

flihub

@flihub

anyone here?

Luís Cobucci

@lcobucci

Yeap...

@flihub there's a delay, but we're here :smile:

flihub

@flihub

still:?

flihub

@flihub

i wrote to github. please answer. thank u:

Alek Salazar

@PenguinTamer

Greetings!

Anyone online and willing to help me w/ a weird error?
"message": "It was not possible to parse your key, reason: error:0909006C:PEM routines:get_name:no start line",

Luís Cobucci

@lcobucci

@PenguinTamer hey, glad to see you found the error on #310 and mentioned the resolution. Thanks :)

Alek Salazar

@PenguinTamer

@lcobucci Thank you! And i really like your library. Makes working w/ JWT easy!

Luís Cobucci

@lcobucci

It's really good to hear that, thanks!

Slope105

@Slope105

Hello php jwt community, I had a question about the installation. I cannot generate a token, as shown in the sample code from the documentation. It only works when I require the autoload.php like so:

require('C:/xampp/vendor/autoload.php');
use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Signer\Key;
use Lcobucci\JWT\Signer\Hmac\Sha256;

Is that how it is suppose to be?

Luís Cobucci

@lcobucci

@Slope105 that's correct, it's not mentioned in the docs because we assumed everyone was used to how composer works (which is possibly not very inclusive, sorry).

Slope105

@Slope105

@lcobucci Great thanks.

No problem. I should know how composer works. Thanks for the response.

Luís Cobucci

@lcobucci

:+1:

Rafael Mora

@titanve

Hello everyone! I'm using craftcms 3 with the plugin Craft JWT Auth which states: "The plugin will attempt to verify the token using the lcobucci/jwt package for PHP" the question is: do you know how do they work together? i mean lcobucci/jwt library and craftcms 3? Thank you.

Luís Cobucci

@lcobucci

Hello @titanve, unfortunately I'm not familiar with craftcms 3. However, after a quick look, it seems here lies your answer: https://github.com/edenspiekermann/craft-jwt-auth/blob/develop/src/services/JWT.php

Rafael Mora

@titanve

Hello @lcobucci thank you for the link it's very helpful. The thing is that how that it interacts because in NodeJS I have an express server using jsonwebtoken library and I can verify by a hash the password the user is sending and then generate the token and send it back and afterwards use the verify function in order to very all the upcoming transactions.

Rafael Mora

@titanve

Apparently is a TODO

Luís Cobucci

@lcobucci

Too bad. Although that might your chance to build it yourself and contribute to the craft-jwt-auth library :+1:

Hopefully, our docs should support you https://github.com/lcobucci/jwt/blob/3.3/README.md

Rafael Mora

@titanve

@lcobucci that's true! I'll try to do something with it

Roel

@roelzkie15

Hi gents, When is the recommended way to verify the token? in our program we have an endpoint which verify the token. So i used it every request to check token validity before proceeding to access protected resource on the server.

Luís Cobucci

@lcobucci

@roelzkie15 :wave:
That really depends on what you're using a JWT for :grimacing:

If you're using JWT for authentication, then I'd say you must always verify and validate. Otherwise, people might attack your system by tampering the token

Roel

@roelzkie15

@lcobucci nice one thanks for the pointer :rocket:

Luís Cobucci

@lcobucci

Glad to help :+1:

Everton da Silva

@evercan

Hello, I am some mistakes, <span style='background-color: #cc0000; color: #fce94f; font-size: x-large;'>( ! )</span> Fatal error:
Uncaught Zend\ServiceManager\Exception\ServiceNotFoundException: Unable to resolve service
"Lcobucci\JWT\Configuration" to a factory; are you certain you provided it during configuration? in
C:\xampp\htdocs\api\vendor\zendframework\zend-servicemanager\src\ServiceManager.php on line <i>687</i>

Luís Cobucci

@lcobucci

This looks like an integration of some tool to this lib... We don't provide any framework-related component

Luís Cobucci

@lcobucci

@evercan did you manage to solve the issue?

prudhvivijaykumar

@prudhvivijaykumar

Hi, While login I have generated JWT Token without expiration time. So while re-login with the same credentials then I want to destroy the previous token. Any solution.?

Luís Cobucci

@lcobucci

@prudhvivijaykumar that's a use-case for adding a storage layer to build a blacklist/whitelist of JTI (token identifiers) - I'd say a whitelist sounds more appropriate since you won't know which token to add to the blacklist when issuing a new one. You'd surely have to set the JTI on your tokens to be able to match things.

Bear in mind that not setting an expiration time may lead to security issues if the token gets stolen.