by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Sep 28 20:53

    dependabot-preview[bot] on composer

    (compare)

  • Sep 28 20:53

    dependabot-preview[bot] on master

    Bump phpunit/php-invoker from 3… Merge pull request #430 from lc… (compare)

  • Sep 28 20:53
    dependabot-preview[bot] closed #430
  • Sep 28 20:52
    dependabot-preview[bot] milestoned #430
  • Sep 28 20:52
    dependabot-preview[bot] review_requested #430
  • Sep 28 20:52
    dependabot-preview[bot] labeled #430
  • Sep 28 20:52
    dependabot-preview[bot] opened #430
  • Sep 28 20:52

    dependabot-preview[bot] on composer

    Bump phpunit/php-invoker from 3… (compare)

  • Sep 28 13:17

    dependabot-preview[bot] on composer

    (compare)

  • Sep 28 13:17

    dependabot-preview[bot] on master

    Bump thecodingmachine/safe from… Merge pull request #419 from lc… (compare)

  • Sep 28 13:17
    dependabot-preview[bot] closed #419
  • Sep 28 13:16
    dependabot-preview[bot] synchronize #419
  • Sep 28 13:16

    dependabot-preview[bot] on composer

    Bump thecodingmachine/safe from… (compare)

  • Sep 28 13:16
    dependabot-preview[bot] edited #419
  • Sep 28 13:15
    dependabot-preview[bot] edited #419
  • Sep 28 13:15

    dependabot-preview[bot] on composer

    (compare)

  • Sep 28 13:15

    dependabot-preview[bot] on master

    Bump symfony/filesystem from 5.… Merge pull request #426 from lc… (compare)

  • Sep 28 13:15
    dependabot-preview[bot] closed #426
  • Sep 28 13:14
    dependabot-preview[bot] synchronize #419
  • Sep 28 13:14
    dependabot-preview[bot] edited #419
Luís Cobucci
@lcobucci
@roelzkie15 :wave:
That really depends on what you're using a JWT for :grimacing:
If you're using JWT for authentication, then I'd say you must always verify and validate. Otherwise, people might attack your system by tampering the token
Roel
@roelzkie15
@lcobucci nice one thanks for the pointer :rocket:
Luís Cobucci
@lcobucci
Glad to help :+1:
Everton da Silva
@evercan
Hello, I am some mistakes, <span style='background-color: #cc0000; color: #fce94f; font-size: x-large;'>( ! )</span> Fatal error:
Uncaught Zend\ServiceManager\Exception\ServiceNotFoundException: Unable to resolve service
"Lcobucci\JWT\Configuration" to a factory; are you certain you provided it during configuration? in
C:\xampp\htdocs\api\vendor\zendframework\zend-servicemanager\src\ServiceManager.php on line <i>687</i>
Luís Cobucci
@lcobucci
This looks like an integration of some tool to this lib... We don't provide any framework-related component
Luís Cobucci
@lcobucci
@evercan did you manage to solve the issue?
prudhvivijaykumar
@prudhvivijaykumar
Hi, While login I have generated JWT Token without expiration time. So while re-login with the same credentials then I want to destroy the previous token. Any solution.?
Luís Cobucci
@lcobucci

@prudhvivijaykumar that's a use-case for adding a storage layer to build a blacklist/whitelist of JTI (token identifiers) - I'd say a whitelist sounds more appropriate since you won't know which token to add to the blacklist when issuing a new one. You'd surely have to set the JTI on your tokens to be able to match things.

Bear in mind that not setting an expiration time may lead to security issues if the token gets stolen.

Tarun Jangra
@tarunjangra
@lcobucci Is there a way to create JSON web key document using this library?
Is there a way to create JSON web key document using this library?
Tarun Jangra
@tarunjangra

@lcobucci

Hey @frankvanrest, openid uses a jwk keyset and unfortunately we don't support it at the moment...

I think i found my answer. There is something else i need to find.

Abuabdellah
@Abuabdelah

Peace be upon those who follow guidance,

I'm using lcobucci/jwt:^4.0.0-alpha3 on Win 10

require __DIR__ . '/vendor/autoload.php';
// require __DIR__ . '/vendor/bin/autoload.php';
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Token\Plain;
use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Parser;

$config = $container->get(Configuration::class);
assert($config instanceof Configuration);

$token = $config->getParser()->parse(
    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
    . 'eyJzdWIiOiIxMjM0NTY3ODkwIn0.'
    . '2gSBz9EOsQRN9I-3iSxJoFt7NtgV6Rm0IL6a8CAwl3Q'
);

assert($token instanceof Plain);

$token->headers(); // Retrieves the token headers
$token->claims(); // Retrieves the token claims

echo $token->getHeader('name'); // will print "4f1g23a12aa"
echo $token->getClaim('iss'); // will print "http://example.com"
echo $token->getClaim('aud'); // will print "1"

But I get the following error!

Uncaught Error: Call to a member function on line of $config = $container->get(Configuration::class);

What is the reason?

Marco Pivetta
@Ocramius
Well, $container is not defined anywhere in your script :)
Abuabdellah
@Abuabdelah
@Ocramius I don't know about it I'm new in using the library
@Ocramius also the following gives error when trying to get some info from the OIDC response?
$tok = 'signature code';
$token = (new Parser())->parse((string) $tok); // Parses from a string
$token->getHeaders(); // Retrieves the token header
$token->getClaims(); // Retrieves the token claims

echo $token->getHeader('name'); // will print "4f1g23a12aa"
echo $token->getClaim('iss'); // will print "http://example.com"
echo $token->getClaim('aud'); // will print "1"

Uncaught Error: Cannot instantiate interface Fatal

Marco Pivetta
@Ocramius
You want to use Lcobucci\JWT\Token\Parser, not Lcobucci\JWT\Parser, which is the interface
Abuabdellah
@Abuabdelah
@Ocramius , that gives the following error:

Uncaught ArgumentCountError: Too few arguments to function Lcobucci\JWT\Token\Parser::__construct(), 0 passed in

Marco Pivetta
@Ocramius
Seems about right: I think you need to do more PHP class/object-based programming before jumping at a library though?
copy-pasting from the docs, especially in security-sensitive contexts like this one, won't get you far, and will only get you in trouble :|
Harish Durga
@harishdurga
How to add custom data to the token?
Marco Pivetta
@Ocramius
@harishdurga that's what "claims" are: some are reserved keys, but any keys defined on your end are up for grabs
Abuabdellah
@Abuabdelah
@Ocramius , I see that I asked for how to use not how extend the library!
Luís Cobucci
@lcobucci
@Abuabdelah have you read https://lcobucci-jwt.readthedocs.io/en/latest/configuration/?
And the note in the https://lcobucci-jwt.readthedocs.io/en/latest/issuing-tokens/ :)
biggunn
@biggunn
Hope this has a simple answer. Using V3.3.1. Trying to create a token per instructions here: https://github.com/lcobucci/jwt/blob/3.3/README.md#token-signature (using hmac signature) . When I try to return $token from my function all I get is {}. When I var_dump($token) it is giving me the entire object in string form, rather than just a JWT. Should it be necessary to parse out $token in order to get the JWT, or am I just misunderstanding how this is to be used? Obviously I am missing something basic. Thanks.
Marco Pivetta
@Ocramius
Can you show what you wrote?
biggunn
@biggunn
$signer = new Sha256();
$time = time();
    $token = (new Builder())->issuedBy('http://example.com') // Configures the issuer (iss claim)
    ->permittedFor('http://example.org') // Configures the audience (aud claim)
    ->identifiedBy('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
    ->issuedAt($time) // Configures the time that the token was issue (iat claim)
    ->canOnlyBeUsedAfter($time + 60) // Configures the time that the token can be used (nbf claim)
    ->expiresAt($time + 3600) // Configures the expiration time of the token (exp claim)
    ->withClaim('uid', 1) // Configures a new claim, called "uid"
    ->getToken($signer, new Key(AZURE_PRIMARY_KEY_AUTH)); // Retrieves the generated token

    var_dump($token->getToken());

    return $token;
biggunn
@biggunn
Sorry, just realized the var_dump was the last thing i tried and not the actual issue I am having. so the above should be var_dump($token)
biggunn
@biggunn
So I am able to get the token if I do: $token->__toString(); is that how we are supposed to get it? or is there a better way?
Luís Cobucci
@lcobucci
@biggunn that's the current API. It's simpler if you cast it to string: (string) $token
mega94
@mega94
hi
mega94
@mega94
How do I extract data from the header? e.g. title: authorization
Luís Cobucci
@lcobucci
Hey @mega94, if you're using the stable version (v3. E
You can use the method Token#getHeader()
https://github.com/lcobucci/jwt/blob/3.3/README.md#creating
Bernard Longho
@blongho

Hello, i am trying to use this library to decrypt some information that that i encrypted in my application. I used C++ in encrypting the data and i want to decrypt same using PHP in the server. This is how the encryption was done. I use https://github.com/Thalhammer/jwt-cpp for encryption 

string encrypt(const std::string& input, const std::string& issuer, const std::string& key)
{
    auto token = jwt::create()
        .set_issuer(issuer)
        .set_type("JWS")
        .set_payload_claim("data", jwt::claim(input))
        .sign(jwt::algorithm::hs256{ key });
    return token;
}

I try to decrypt it using https://github.com/lcobucci/jwt/tree/3.3 in PHP 

$file_data = file_get_contents("php://input");
try {
    var_dump("Creating a new parser from the received data");
    $token = (new Parser())->parse((string) $file_data); // Parses from a
    // string
    var_dump($token);
    $headers = $token->getHeaders(); // Retrieves the token header
    $claims = $token->getClaims(); // Retrieves the token claims
    var_dump($headers);
    echo $headers;
    var_dump("After decoding");
    $json_decoded = json_decode($token, true);
    var_dump("After json decoding");
    $file = fopen("decrypted.json", "wb");
    fwrite($file, $json_decoded);
    var_dump("After writing to file");
    fclose($file);
    echo $json_decoded;
}
catch (Exception | InvalidArgumentException $e) {
    error_log("Error parsing the encoded data " . $e->getMessage(), 0);
    var_dump("There was an error" . $e->getMessage());
}

I get There was an error The JWT string must have two dots. Can someone help me out with the decrypting. I can confirm that the encrypted data is received in the server.

Is there anything i am missing or not doing rightly?

Luís Cobucci
@lcobucci
It seems like the data you're sending to the parser is not a jwt... Are you sure you want to read from php://input?
Bernard Longho
@blongho

From the source code link here, i understand that the Parser can parse both JWS and JWT?

Anyway, the snippet above worked. I had to specify the claims key inorder to get the tokens claims 

...
$claims = $token->getClaims(); // Retrieves the token claims
$claimsData =$claims["claims key"]; // This was the line i was missing. 
...

Thanks for the great work.

Bbun Yua
@bbunyua_twitter

This very basic test returns false for me on the verify-call. I'm on "lcobucci/jwt": "^3.3".
Am I doing something wrong? 

$token = (new Builder())
    ->gettoken(
        new Sha256(),
        new Key(file_get_contents('../jwtRS256.key'))
    );

dump($token->verify(
    new Sha256(),
    new Key(file_get_contents('../jwtRS256.key.pub'))
));

The public/private key were generated with:

ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key
# no passphrase entered
openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
Bbun Yua
@bbunyua_twitter
Apparently I imported the wrong Sha256.. duh. Had the symmetric signer copy-pasted in accidently:
use Lcobucci\JWT\Signer\Hmac\Sha256; => use Lcobucci\JWT\Signer\Rsa\Sha256;
For the record if anyone comes here from Google.
Nicolai Cornelis
@nickdnk
Hey guys
I'm trying to implement Apples sign in, but I keep getting error:09FFF06C:PEM routines:CRYPTO_internal:no start line when I try to sign the JWT using the private key I downloaded from Apple. I set the Signer to Lcobucci\JWT\Signer\Ecdsa\Sha256 which seems to be in line with https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens, but I simply can't get it to work
Tried both the key in a file using file:// and heredoc-inlining it, which gives the same result 
$key = <<< PRIVATE_KEY
----BEGIN PRIVATE KEY-----
 // private key here
-----END PRIVATE KEY-----
PRIVATE_KEY;

$signer = new \Lcobucci\JWT\Signer\Ecdsa\Sha256();
$time = time();

return (new Builder())->issuedBy(self::TEAM_ID) // iss claim
->permittedFor('https://appleid.apple.com') // aud claim
->expiresAt($time + 3600) // exp claim
->issuedAt($time) // iat claim
->relatedTo(self::APP_ID) // sub claim
->withHeader('kid', self::PRIVATE_KEY_ID) // kid header
->getToken($signer, new Key($key));
Nicolai Cornelis
@nickdnk
It works if I pass in file_get_contents('key.p8') using the file I get from Apple, but I don't understand what the difference is
The new key I generated also works inline. I have no idea why. I suppose I somehow removed some line breaks or whitespace that messed up the format.
Roman Korobeynikov
@rkorobeynikov

Hey guys, just tried to use v4 branch and got error:
Uncaught exception: The header "typ" must be present
According to standard: https://tools.ietf.org/html/rfc7519#page-11

5.1. "typ" (Type) Header Parameter
...
Use of this Header Parameter is OPTIONAL.

In this case shouldn't it be removed?
if (! isset($header['typ'])) { throw new InvalidArgumentException('The header "typ" must be present'); }

Marco Pivetta
@Ocramius
@rkorobeynikov where is that specifically?
@rkorobeynikov and could you maybe have a code snippet that leads to this failure? We can then write a test around it :)