facile-it / php-jose-verifier
JWT令牌验证器。用于访问令牌、ID令牌和其他令牌的JWT验证器
Requires
- php: ^8.1
- ext-json: *
- nyholm/psr7: ^1.8
- psr/http-client: ^1.0
- psr/http-message: ^1.0 || ^2.0
- psr/simple-cache: ^1.0 || ^2.0 || ^3.0
- spomky-labs/base64url: ^2.0.1
- symfony/http-client: ^6.0 || ^7.0
- symfony/polyfill-mbstring: ^1.15
- web-token/jwt-library: ^3.4
Requires (Dev)
- facile-it/facile-coding-standard: ^1.2.0
- friendsofphp/php-cs-fixer: ^3.14.3
- phpspec/prophecy-phpunit: ^2.0.1
- phpstan/phpstan: ^1.10
- phpunit/phpunit: ^10.5.20 || ^11.1.0
- spomky-labs/aes-key-wrap: ^7.0
- vimeo/psalm: ^5.23.1
- web-token/jwt-library: ^3.4.3
This package is auto-updated.
Last update: 2024-08-27 13:31:19 UTC
README
一个用于验证JWT令牌的库。
如何使用
建议和简单的使用方法是使用构建器(尤其是对于OAuth2和OpenID令牌)。
为了更好的性能,您应该安装ext-gmp
。
从发行者和客户端元数据创建验证器
通常OpenID提供者会提供一个openid-configuration(/.well-known/openid-configuration
)。
您可以获取配置并使用构建器,但通常只需要issuer
和jwks_uri
。
// Fetched issuer metadata: $issuerMetadata = [ 'issuer' => 'https://issuer-name', // The Issuer name 'jwks_uri' => 'https://jwks_uri', // The Issuer's JWK Set URI ];
远程jwks_uri
是发行者公钥公开的远程端点。
您还需要客户端元数据,通常与OpenID动态注册提供的内容相同,但您可以只提供client_id
,以及可选的client_secret
(如果令牌使用对称密钥并使用客户端密钥进行签名)。
验证器和解密器将自动使用OpenID动态注册客户端元数据进行配置。
如果您使用加密,您应该在配置中的jwks
密钥中注入您的JWK集。
// Client Metadata (complete configuration example) $clientMetadata = [ 'client_id' => 'my-client-id', 'client_secret' => 'my-client-secret', 'id_token_signed_response_alg' => 'RS256', 'id_token_encrypted_response_alg' => 'RSA-OAEP', 'id_token_encrypted_response_enc' => 'A128GCM', 'userinfo_signed_response_alg' => 'RS256', 'userinfo_encrypted_response_alg' => 'RSA-OAEP', 'userinfo_encrypted_response_enc' => 'A128GCM', 'jwks' => [ 'keys' => [ // client JWKs ], ], ];
use Facile\JoseVerifier\Builder\AccessTokenVerifierBuilder; use Facile\JoseVerifier\Exception\InvalidTokenExceptionInterface; $builder = AccessTokenVerifierBuilder::create($issuerMetadata, $clientMetadata); $verifier = $builder->build(); try { $payload = $verifier->verify($jwt); } catch (InvalidTokenExceptionInterface $e) { // your logic here }
验证器将为您解密和验证令牌。结果是令牌有效载荷。
使用缓存来获取远程JWK集
显然,您不应该在每次请求时都获取远程JWK集。为了使用缓存,您可以注入一个部分配置的JwksProviderBuilder
。
use Facile\JoseVerifier\Builder\AccessTokenVerifierBuilder;use Facile\JoseVerifier\JWK\JwksProviderBuilder; // Use your PSR SimpleCache implementation $cache = $container->get(\Psr\SimpleCache\CacheInterface::class); $jwksProviderBuilder = (new JwksProviderBuilder()) ->withCache($cache) ->withCacheTtl(86400); // 86400 is the default value $builder = AccessTokenVerifierBuilder::create($issuerMetadata, $clientMetadata) ->withJwksProviderBuilder($jwksProviderBuilder); $verifier = $builder->build(); try { $payload = $verifier->verify($jwt); } catch (InvalidTokenExceptionInterface $e) { // your logic here }
提供的验证器
访问令牌验证器
AccessTokenVerifier将验证JWT访问令牌。
use Facile\JoseVerifier\Builder\AccessTokenVerifierBuilder; $builder = AccessTokenVerifierBuilder::create($issuerMetadata, $clientMetadata); $verifier = $builder->build(); try { $payload = $verifier->verify($jwt); } catch (InvalidTokenExceptionInterface $e) { // your logic here }
ID令牌验证器
IdTokenVerifier将验证OpenID的id_token
。
创建验证器
use Facile\JoseVerifier\Builder\IdTokenVerifierBuilder; $builder = IdTokenVerifierBuilder::create($issuerMetadata, $clientMetadata); $verifier = $builder->build();
为了验证id_token
,您必须向验证器提供一些其他参数(请注意,所有验证器都是不可变的)。
use Facile\JoseVerifier\IdTokenVerifierInterface; /** @var IdTokenVerifierInterface $verifier */ // Provide the `state` used in the Code Grant Flow (this should be provided id the `id_token` contains the `s_hash` claim) $verifier = $verifier->withState($state); // Optionally provide these parameters to validate the correct hash values: $verifier = $verifier ->withAccessToken($accessToken) // Provide the `access_token` used in the Code Grant Flow ->withCode($code) // Provide the `code` used in the Code Grant Flow try { $payload = $verifier->verify($jwt); } catch (InvalidTokenExceptionInterface $e) { // your logic here }
用户信息验证器
当UserInfo返回作为userinfo端点响应内容的签名(可能加密)JWT时,您可以使用此验证器来解密、验证并获取用户信息声明。
use Facile\JoseVerifier\Builder\UserInfoVerifierBuilder; $builder = UserInfoVerifierBuilder::create($issuerMetadata, $clientMetadata); $verifier = $builder->build(); try { $payload = $verifier->verify($jwt); } catch (InvalidTokenExceptionInterface $e) { // your logic here }