JWT is cool. But unfortunately almost all JWT implementations are too terse, complex, bloated and offer plenty of public APIs, complex configuration approach etc which can be intimidating and confusing for a starter trying to integrate JWT based auth in any PHP based web application.
Here is a full featured, slim, dependency free, framework agnostic library that I wrote with simplicity in mind. It has been developed for several months already.
adhocore / php-jwt
Ultra lightweight, dependency free and standalone JSON web token (JWT) library for PHP5.6 to PHP8.2. This library makes JWT a cheese. It is a minimal JWT integration for PHP.
adhocore/jwt
If you are new to JWT or want to refresh your familiarity with it, please check jwt.io
- Lightweight JSON Web Token (JWT) library for PHP7, PHP8 and beyond.
- Zero dependency (no vendor bloat).
- If you still use PHP5.6, use version 0.1.2
Installation
# PHP7.x, PHP8.x
composer require adhocore/jwt
# PHP5.6 (deprecated)
composer require adhocore/jwt:0.1.2
# For PHP5.4-5.5 (deprecated), use version 0.1.2 with a polyfill for https://php.net/hash_equals
Features
- Six algorithms supported:
'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512'
-
kid
support. - Leeway support 0-120 seconds.
- Timestamp spoofing for tests.
- Passphrase support for
RS*
algos.
Usage
use Ahc\Jwt\JWT;
// Instantiate with key, algo, maxAge and leeway.
$jwt = new JWT('secret', 'HS256', 3600, 10);
Only the key is required. Defaults will be used for the rest:
$jwt = new JWT('secret')
// algo
โฆInstallation
composer install adhocore/jwt
Usage
use Ahc\Jwt\JWT;
// Instantiate with key, algo, maxAge and leeway.
$jwt = new JWT('secret', 'HS256', 3600, 10);
// Only the key is required. Defaults will be used for the rest:
// algo = HS256, maxAge = 3600, leeway = 0
$jwt = new JWT('secret');
// For RS* algo, the key should be either a resource like below:
$key = openssl_pkey_new(['digest_alg' => 'sha256', 'private_key_bits' => 1024, 'private_key_type' => OPENSSL_KEYTYPE_RSA]);
// OR, a string with full path to the RSA private key like below:
$key = '/path/to/rsa.key';
// Then, instantiate JWT with this key and RS* as algo:
$jwt = new JWT($key, 'RS384');
// Generate JWT token from payload array.
$token = $jwt->encode([
'uid' => 1,
'aud' => 'http://site.com',
'scopes' => ['user'],
'iss' => 'http://api.mysite.com',
]);
// Retrieve the payload array.
$payload = $jwt->decode($token);
// Oneliner.
$token = (new JWT('topSecret', 'HS512', 1800))->encode(['uid' => 1, 'scopes' => ['user']]));
$payload = (new JWT('topSecret', 'HS512', 1800))->decode($token);
// Can pass extra headers into encode() with second parameter.
$token = $jwt->encode($payload, ['hdr' => 'hdr_value']);
// Spoof time() for testing token expiry.
$jwt->setTestTimestamp(time() + 10000);
// Throws Exception.
$jwt->parse($token);
// Call again without parameter to stop spoofing time().
$jwt->setTestTimestamp();
And for your peace of mind, allow me to mention that this library has been adopted for official listing.
Top comments (2)
Not sure that this implementation is any better than firebase/php-jwt. No support for EC or other algorithms ...
alright, we can add that if that doesn't hurt the "lean architecture" philosophy of it.
can you open an issue or PR?