Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 00:58
    dependabot-preview[bot] synchronize #456
  • 00:58

    dependabot-preview[bot] on composer

    Bump infection/infection from 0… (compare)

  • 00:58
    dependabot-preview[bot] edited #456
  • 00:56
    dependabot-preview[bot] edited #456
  • 00:56

    dependabot-preview[bot] on composer

    (compare)

  • 00:56

    dependabot-preview[bot] on master

    Bump phpunit/phpunit from 9.4.1… Merge pull request #458 from lc… (compare)

  • 00:56
    dependabot-preview[bot] closed #458
  • 00:55
    dependabot-preview[bot] review_requested #458
  • 00:55
    dependabot-preview[bot] milestoned #458
  • 00:55
    dependabot-preview[bot] labeled #458
  • 00:55
    dependabot-preview[bot] opened #458
  • 00:55

    dependabot-preview[bot] on composer

    Bump phpunit/phpunit from 9.4.1… (compare)

  • Oct 18 12:33
    dependabot-preview[bot] synchronize #456
  • Oct 18 12:33

    dependabot-preview[bot] on composer

    Bump infection/infection from 0… (compare)

  • Oct 18 12:33
    dependabot-preview[bot] edited #456
  • Oct 17 16:09
    dependabot-preview[bot] edited #456
  • Oct 17 16:09

    dependabot-preview[bot] on composer

    (compare)

  • Oct 17 16:09

    dependabot-preview[bot] on master

    Bump phpstan/phpstan from 0.12.… Merge pull request #457 from lc… (compare)

  • Oct 17 16:09
    dependabot-preview[bot] closed #457
  • Oct 17 16:08
    dependabot-preview[bot] commented #456
Luís Cobucci
@lcobucci
Hello @titanve, unfortunately I'm not familiar with craftcms 3. However, after a quick look, it seems here lies your answer: https://github.com/edenspiekermann/craft-jwt-auth/blob/develop/src/services/JWT.php
Rafael Mora
@titanve
Hello @lcobucci thank you for the link it's very helpful. The thing is that how that it interacts because in NodeJS I have an express server using jsonwebtoken library and I can verify by a hash the password the user is sending and then generate the token and send it back and afterwards use the verify function in order to very all the upcoming transactions.
Rafael Mora
@titanve
image.png
Apparently is a TODO
Luís Cobucci
@lcobucci
Too bad. Although that might your chance to build it yourself and contribute to the craft-jwt-auth library :+1:
Hopefully, our docs should support you https://github.com/lcobucci/jwt/blob/3.3/README.md
Rafael Mora
@titanve
@lcobucci that's true! I'll try to do something with it
Roel
@roelzkie15
Hi gents, When is the recommended way to verify the token? in our program we have an endpoint which verify the token. So i used it every request to check token validity before proceeding to access protected resource on the server.
Luís Cobucci
@lcobucci
@roelzkie15 :wave:
That really depends on what you're using a JWT for :grimacing:
If you're using JWT for authentication, then I'd say you must always verify and validate. Otherwise, people might attack your system by tampering the token
Roel
@roelzkie15
@lcobucci nice one thanks for the pointer :rocket:
Luís Cobucci
@lcobucci
Glad to help :+1:
Everton da Silva
@evercan
Hello, I am some mistakes, <span style='background-color: #cc0000; color: #fce94f; font-size: x-large;'>( ! )</span> Fatal error:
Uncaught Zend\ServiceManager\Exception\ServiceNotFoundException: Unable to resolve service
"Lcobucci\JWT\Configuration" to a factory; are you certain you provided it during configuration? in
C:\xampp\htdocs\api\vendor\zendframework\zend-servicemanager\src\ServiceManager.php on line <i>687</i>
Luís Cobucci
@lcobucci
This looks like an integration of some tool to this lib... We don't provide any framework-related component
Luís Cobucci
@lcobucci
@evercan did you manage to solve the issue?
prudhvivijaykumar
@prudhvivijaykumar
Hi, While login I have generated JWT Token without expiration time. So while re-login with the same credentials then I want to destroy the previous token. Any solution.?
Luís Cobucci
@lcobucci

@prudhvivijaykumar that's a use-case for adding a storage layer to build a blacklist/whitelist of JTI (token identifiers) - I'd say a whitelist sounds more appropriate since you won't know which token to add to the blacklist when issuing a new one. You'd surely have to set the JTI on your tokens to be able to match things.

Bear in mind that not setting an expiration time may lead to security issues if the token gets stolen.

Tarun Jangra
@tarunjangra
@lcobucci Is there a way to create JSON web key document using this library?
Is there a way to create JSON web key document using this library?
Tarun Jangra
@tarunjangra

@lcobucci

Hey @frankvanrest, openid uses a jwk keyset and unfortunately we don't support it at the moment...

I think i found my answer. There is something else i need to find.

Abuabdellah
@Abuabdelah

Peace be upon those who follow guidance,

I'm using lcobucci/jwt:^4.0.0-alpha3 on Win 10

require __DIR__ . '/vendor/autoload.php';
// require __DIR__ . '/vendor/bin/autoload.php';
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Token\Plain;
use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Parser;

$config = $container->get(Configuration::class);
assert($config instanceof Configuration);

$token = $config->getParser()->parse(
    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
    . 'eyJzdWIiOiIxMjM0NTY3ODkwIn0.'
    . '2gSBz9EOsQRN9I-3iSxJoFt7NtgV6Rm0IL6a8CAwl3Q'
);

assert($token instanceof Plain);

$token->headers(); // Retrieves the token headers
$token->claims(); // Retrieves the token claims

echo $token->getHeader('name'); // will print "4f1g23a12aa"
echo $token->getClaim('iss'); // will print "http://example.com"
echo $token->getClaim('aud'); // will print "1"

But I get the following error!

Uncaught Error: Call to a member function on line of $config = $container->get(Configuration::class);

What is the reason?

Marco Pivetta
@Ocramius
Well, $container is not defined anywhere in your script :)
Abuabdellah
@Abuabdelah
@Ocramius I don't know about it I'm new in using the library
@Ocramius also the following gives error when trying to get some info from the OIDC response?
$tok = 'signature code';
$token = (new Parser())->parse((string) $tok); // Parses from a string
$token->getHeaders(); // Retrieves the token header
$token->getClaims(); // Retrieves the token claims

echo $token->getHeader('name'); // will print "4f1g23a12aa"
echo $token->getClaim('iss'); // will print "http://example.com"
echo $token->getClaim('aud'); // will print "1"

Uncaught Error: Cannot instantiate interface Fatal

Marco Pivetta
@Ocramius
You want to use Lcobucci\JWT\Token\Parser, not Lcobucci\JWT\Parser, which is the interface
Abuabdellah
@Abuabdelah
@Ocramius , that gives the following error:

Uncaught ArgumentCountError: Too few arguments to function Lcobucci\JWT\Token\Parser::__construct(), 0 passed in

Marco Pivetta
@Ocramius
Seems about right: I think you need to do more PHP class/object-based programming before jumping at a library though?
copy-pasting from the docs, especially in security-sensitive contexts like this one, won't get you far, and will only get you in trouble :|
Harish Durga
@harishdurga
How to add custom data to the token?
Marco Pivetta
@Ocramius
@harishdurga that's what "claims" are: some are reserved keys, but any keys defined on your end are up for grabs
Abuabdellah
@Abuabdelah
@Ocramius , I see that I asked for how to use not how extend the library!
Luís Cobucci
@lcobucci
biggunn
@biggunn
Hope this has a simple answer. Using V3.3.1. Trying to create a token per instructions here: https://github.com/lcobucci/jwt/blob/3.3/README.md#token-signature (using hmac signature) . When I try to return $token from my function all I get is {}. When I var_dump($token) it is giving me the entire object in string form, rather than just a JWT. Should it be necessary to parse out $token in order to get the JWT, or am I just misunderstanding how this is to be used? Obviously I am missing something basic. Thanks.
Marco Pivetta
@Ocramius
Can you show what you wrote?
biggunn
@biggunn
$signer = new Sha256();
$time = time();
    $token = (new Builder())->issuedBy('http://example.com') // Configures the issuer (iss claim)
    ->permittedFor('http://example.org') // Configures the audience (aud claim)
    ->identifiedBy('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
    ->issuedAt($time) // Configures the time that the token was issue (iat claim)
    ->canOnlyBeUsedAfter($time + 60) // Configures the time that the token can be used (nbf claim)
    ->expiresAt($time + 3600) // Configures the expiration time of the token (exp claim)
    ->withClaim('uid', 1) // Configures a new claim, called "uid"
    ->getToken($signer, new Key(AZURE_PRIMARY_KEY_AUTH)); // Retrieves the generated token

    var_dump($token->getToken());

    return $token;
biggunn
@biggunn
Sorry, just realized the var_dump was the last thing i tried and not the actual issue I am having. so the above should be var_dump($token)
biggunn
@biggunn
So I am able to get the token if I do: $token->__toString(); is that how we are supposed to get it? or is there a better way?
Luís Cobucci
@lcobucci
@biggunn that's the current API. It's simpler if you cast it to string: (string) $token
mega94
@mega94
hi
mega94
@mega94
How do I extract data from the header? e.g. title: authorization
Luís Cobucci
@lcobucci
Hey @mega94, if you're using the stable version (v3. E
You can use the method Token#getHeader()
Bernard Longho
@blongho

Hello, i am trying to use this library to decrypt some information that that i encrypted in my application. I used C++ in encrypting the data and i want to decrypt same using PHP in the server. This is how the encryption was done. I use https://github.com/Thalhammer/jwt-cpp for encryption

string encrypt(const std::string& input, const std::string& issuer, const std::string& key)
{
    auto token = jwt::create()
        .set_issuer(issuer)
        .set_type("JWS")
        .set_payload_claim("data", jwt::claim(input))
        .sign(jwt::algorithm::hs256{ key });
    return token;
}

I try to decrypt it using https://github.com/lcobucci/jwt/tree/3.3 in PHP

$file_data = file_get_contents("php://input");
try {
    var_dump("Creating a new parser from the received data");
    $token = (new Parser())->parse((string) $file_data); // Parses from a
    // string
    var_dump($token);
    $headers = $token->getHeaders(); // Retrieves the token header
    $claims = $token->getClaims(); // Retrieves the token claims
    var_dump($headers);
    echo $headers;
    var_dump("After decoding");
    $json_decoded = json_decode($token, true);
    var_dump("After json decoding");
    $file = fopen("decrypted.json", "wb");
    fwrite($file, $json_decoded);
    var_dump("After writing to file");
    fclose($file);
    echo $json_decoded;
}
catch (Exception | InvalidArgumentException $e) {
    error_log("Error parsing the encoded data " . $e->getMessage(), 0);
    var_dump("There was an error" . $e->getMessage());
}

I get There was an error The JWT string must have two dots. Can someone help me out with the decrypting. I can confirm that the encrypted data is received in the server.

Is there anything i am missing or not doing rightly?

Luís Cobucci
@lcobucci
It seems like the data you're sending to the parser is not a jwt... Are you sure you want to read from php://input?
Bernard Longho
@blongho

From the source code link here, i understand that the Parser can parse both JWS and JWT?

Anyway, the snippet above worked. I had to specify the claims key inorder to get the tokens claims

...
$claims = $token->getClaims(); // Retrieves the token claims
$claimsData =$claims["claims key"]; // This was the line i was missing. 
...

Thanks for the great work.

Bbun Yua
@bbunyua_twitter

This very basic test returns false for me on the verify-call. I'm on "lcobucci/jwt": "^3.3".
Am I doing something wrong?

$token = (new Builder())
    ->gettoken(
        new Sha256(),
        new Key(file_get_contents('../jwtRS256.key'))
    );

dump($token->verify(
    new Sha256(),
    new Key(file_get_contents('../jwtRS256.key.pub'))
));

The public/private key were generated with:

ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key
# no passphrase entered
openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
Bbun Yua
@bbunyua_twitter
Apparently I imported the wrong Sha256.. duh. Had the symmetric signer copy-pasted in accidently:
use Lcobucci\JWT\Signer\Hmac\Sha256; => use Lcobucci\JWT\Signer\Rsa\Sha256;
For the record if anyone comes here from Google.
Nicolai Cornelis
@nickdnk
Hey guys