facile-it/php-jose-verifier
Composer 安装命令:
composer require facile-it/php-jose-verifier
包简介
JWT Token Verifier. A JWT verifier for access tokens, id tokens and others
README 文档
README
A library to validate JWT tokens.
How To Use
The suggested and simply way to use it (specially for OAuth2 and OpenID tokens) is using builders.
For better performance you should install ext-gmp.
Create verifiers from Issuer and Client Metadata
Usually an OpenID provider provides an openid-configuration (/.well-known/openid-configuration).
You can fetch the configuration and use it with builders, but usually only issuer and jwks_uri are necessary.
// Fetched issuer metadata: $issuerMetadata = [ 'issuer' => 'https://issuer-name', // The Issuer name 'jwks_uri' => 'https://jwks_uri', // The Issuer's JWK Set URI ];
The remote jwks_uri is the remote endpoint where the issuer public keys are exposed.
You also need the Client Metadata, usually the same provided from the OpenID Dynamic Registration
but you can just provide the client_id and optionally the client_secret (in case the tokens are signed with symmetric key using the client secret).
Verfiers and decrypters are automatically configured using the OpenID Dynamic Registration client metadata.
If you use encryption, you should inject your JWK Set in the configuration jwks keys.
// Client Metadata (complete configuration example) $clientMetadata = [ 'client_id' => 'my-client-id', 'client_secret' => 'my-client-secret', 'id_token_signed_response_alg' => 'RS256', 'id_token_encrypted_response_alg' => 'RSA-OAEP', 'id_token_encrypted_response_enc' => 'A128GCM', 'userinfo_signed_response_alg' => 'RS256', 'userinfo_encrypted_response_alg' => 'RSA-OAEP', 'userinfo_encrypted_response_enc' => 'A128GCM', 'jwks' => [ 'keys' => [ // client JWKs ], ], ];
use Facile\JoseVerifier\Builder\AccessTokenVerifierBuilder; use Facile\JoseVerifier\Exception\InvalidTokenExceptionInterface; $builder = AccessTokenVerifierBuilder::create($issuerMetadata, $clientMetadata); $verifier = $builder->build(); try { $payload = $verifier->verify($jwt); } catch (InvalidTokenExceptionInterface $e) { // your logic here }
The verifier will decrypt and validate the token for you. The result is the token payload.
Using cache to fetch remote JWK Set
Obviously you should not fetch the remote JWK Set on every request.
In order to use cache you can inject a partially configured
JwksProviderBuilder.
use Facile\JoseVerifier\Builder\AccessTokenVerifierBuilder;use Facile\JoseVerifier\JWK\JwksProviderBuilder; // Use your PSR SimpleCache implementation $cache = $container->get(\Psr\SimpleCache\CacheInterface::class); $jwksProviderBuilder = (new JwksProviderBuilder()) ->withCache($cache) ->withCacheTtl(86400); // 86400 is the default value $builder = AccessTokenVerifierBuilder::create($issuerMetadata, $clientMetadata) ->withJwksProviderBuilder($jwksProviderBuilder); $verifier = $builder->build(); try { $payload = $verifier->verify($jwt); } catch (InvalidTokenExceptionInterface $e) { // your logic here }
Provided verifiers
Access Token Verifier
The AccessTokenVerifier will validate a JWT access token.
use Facile\JoseVerifier\Builder\AccessTokenVerifierBuilder; $builder = AccessTokenVerifierBuilder::create($issuerMetadata, $clientMetadata); $verifier = $builder->build(); try { $payload = $verifier->verify($jwt); } catch (InvalidTokenExceptionInterface $e) { // your logic here }
ID Token Verifier
The IdTokenVerifier will validate an OpenID id_token.
Create the verifier:
use Facile\JoseVerifier\Builder\IdTokenVerifierBuilder; $builder = IdTokenVerifierBuilder::create($issuerMetadata, $clientMetadata); $verifier = $builder->build();
In order to validate an id_token you must provide some other parameters to the verifier
(note that all verifiers are immutable).
use Facile\JoseVerifier\IdTokenVerifierInterface; /** @var IdTokenVerifierInterface $verifier */ // Provide the `state` used in the Code Grant Flow (this should be provided id the `id_token` contains the `s_hash` claim) $verifier = $verifier->withState($state); // Optionally provide these parameters to validate the correct hash values: $verifier = $verifier ->withAccessToken($accessToken) // Provide the `access_token` used in the Code Grant Flow ->withCode($code) // Provide the `code` used in the Code Grant Flow try { $payload = $verifier->verify($jwt); } catch (InvalidTokenExceptionInterface $e) { // your logic here }
UserInfo Verifier
When UserInfo returns a signed (and maybe encrypted) JWT as response content of the userinfo endpoint you can use this verifier to decrypt, verify, and obtain user info claims.
use Facile\JoseVerifier\Builder\UserInfoVerifierBuilder; $builder = UserInfoVerifierBuilder::create($issuerMetadata, $clientMetadata); $verifier = $builder->build(); try { $payload = $verifier->verify($jwt); } catch (InvalidTokenExceptionInterface $e) { // your logic here }
facile-it/php-jose-verifier 适用场景与选型建议
facile-it/php-jose-verifier 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 806.93k 次下载、GitHub Stars 达 4, 最近一次更新时间为 2020 年 04 月 04 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「OpenId」 「oauth2」 「validate」 「token」 「jwt」 「JWS」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 facile-it/php-jose-verifier 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 facile-it/php-jose-verifier 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 facile-it/php-jose-verifier 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Runn Me! Validation and Sanitization Library
Ory-Hydra OAuth 2.0 Client Provider for The PHP League OAuth2-Client
Bare-bones OpenID Connect client
A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.
Customize JWT claims in Laravel Passport access tokens
Multi-provider authentication framework for PHP
统计信息
- 总下载量: 806.93k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 4
- 点击次数: 34
- 依赖项目数: 3
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2020-04-04