PHPackages kleijnweb/jwt-bundle - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. kleijnweb/jwt-bundle AbandonedArchivedSymfony-bundle[Authentication & Authorization](/categories/authentication) kleijnweb/jwt-bundle ==================== Symfony JWT authentication with support for asymmetric keys and externally loaded secrets v1.0.3(8y ago)51.0k2[6 issues](https://github.com/kleijnweb/jwt-bundle/issues)LGPL-3.0PHPPHP ^7.0.0 Since Nov 21Pushed 2y ago2 watchersCompare [ Source](https://github.com/kleijnweb/jwt-bundle)[ Packagist](https://packagist.org/packages/kleijnweb/jwt-bundle)[ RSS](/packages/kleijnweb-jwt-bundle/feed)WikiDiscussions master Synced 2mo ago READMEChangelog (6)Dependencies (18)Versions (11)Used By (0) This project is no longer maintained ==================================== [](#this-project-is-no-longer-maintained) KleijnWeb\\JwtBundle ==================== [](#kleijnwebjwtbundle) [![Build Status](https://camo.githubusercontent.com/54fc5e088a97cbc8d3dbcbdf4579ce842f74bd8bb9d0b9d855830862e622ff96/68747470733a2f2f7472617669732d63692e6f72672f6b6c65696a6e7765622f6a77742d62756e646c652e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/kleijnweb/jwt-bundle)[![Coverage Status](https://camo.githubusercontent.com/08f6cd90cd3f0fe9dade1064fd02476cd8070bb6f21869000faa1fc344fbf927/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f6b6c65696a6e7765622f6a77742d62756e646c652f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/kleijnweb/jwt-bundle?branch=master)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/f30f93ff448b49f3a7f770a99201735daf97908be4d321d018a97e216628a26b/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6b6c65696a6e7765622f6a77742d62756e646c652f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/kleijnweb/jwt-bundle/?branch=master)[![Latest Stable Version](https://camo.githubusercontent.com/56f3d10fcafa04e649c5ce0a08e5a0331bb7546516db79f6d6b8d82be6f83228/68747470733a2f2f706f7365722e707567782e6f72672f6b6c65696a6e7765622f6a77742d62756e646c652f762f737461626c65)](https://packagist.org/packages/kleijnweb/jwt-bundle) Integrate JWT API tokens for authentication. Go to the [release page](https://github.com/kleijnweb/jwt-bundle/releases) to find details about the latest release. For an example see [swagger-bundle-example](https://github.com/kleijnweb/swagger-bundle-example). *NOTE:* Looking for PHP <7.0 and Symfony <2.8.7 support? Use a 0.x version. Install ------- [](#install) Install using composer (`composer require kleijnweb/jwt-bundle`). You want to check out the [release page](https://github.com/kleijnweb/jwt-bundle/releases) to ensure you are getting what you want and optionally verify your download. Authentication -------------- [](#authentication) The token is validated using standard (reserved) JWT claims: NameTypeDescription`exp`int \[1\]Expiration time must be omitted \[3\] or be smaller than `time() + leeway` \[2\].`nbf`int \[1\]"Not before", token validity start time, must be omitted \[3\] or greater than or equal to `time() - leeway` \[2\].`iat`int \[1\]The time the token was issued, must be omitted \[3\] or smaller than configured `minIssueTime + leeway`. Required when `minIssueTime` configured.`iss`stringIssuer of the token, must match configured `issuer`. Required when `issuer` configured.`aud`stringJWT "audience", must be omitted \[3\] or match configured `audience` if configured. Required when `audience` configured.`sub`stringJWT "subject". Used as `username` for Symfony Security integration. Always required (or its alias), without it the "Resource Owner cannot be identified.`prn`stringJWT "principle". Deprecated alias for `sub`, used in older versions of the JWT RFC.`jti`stringJWT "ID". Not used, will be ignored.`typ`stringNot used, will be ignored.- \[1\] Unix time - \[2\] The `leeway` allows a difference in seconds between the issuer of the token and the server running your app with JwtBundle. Keep at a low number, defaults to 0. - \[3\] Mark any claim required, including custom (non-reserved) ones, using the `require` configuration option. All other claims encountered are ignored. The JWT header is checked for `kid` (see below) and `alg`, which must match the `type` value of the key configuration. ### Keys [](#keys) The authenticator supports multiple keys, and allows all options to be configured per `kid` (key ID, which must be included in the JWT header when more than 1 key is configured): ``` jwt: keys: keyOne: # Only one key, 'kid' is optional (but must match when provided) issuer: http://api.server.com/oauth2/token # OAuth2 example, but could be any string value audience: ~ # NULL, accept any minIssueTime: 1442132949 # Reject 'old' tokens, regardless of 'exp' require: [nbf, exp, my-claim] # Mark claims as required leeway: 5 # Allow 5 seconds of time de-synchronization (both ways) between this server and api.server.com ``` JwtBundle and the issuer must share a secret in order for JwtBundle to be able to verify tokens. You can choose between a *pre shared key* (PSK) or *asymmetric keys*. ``` jwt: keys: keyOne: # Must match 'kid' issuer: http://api.server1.com/oauth2/token secret: 'A Pre-Shared Key' # type: Defaults to HS256 (HMACSHA256). All options: HS256, HS512, RS256 and RS512 keyTwo: # Must match 'kid' issuer: http://api.server2.com/oauth2/token type: RS256 # RSA SHA256, needed for asymmetric keys secret: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwND1VMVJ3BC/aM38tQRH 2GDHecXE8EsGoeAeBR5dFt3QC1/Eoub/F2kee3RBtI6I+kDBjrSDz5lsqh3Sm7N/ 47fTKZLvdBaHbCuYXVBQ2tZeEiUBESnsY2HUzXDlqSyDWohuiYeeL6gewxe1CnSE 0l8gYZ0Tx4ViPFYulva6siew0f4tBuSEwSPiKZQnGcssQYJ/VevTD6L4wGoDhkXV VvJ+qiNgmXXssgCl5vHs22y/RIgeOnDhkj81aB9Evx9iR7DOtyRBxnovrbN5gDwX m6IDw3fRhZQrVwZ816/eN+1sqpIMZF4oo4kRA4b64U04ex67A/6BwDDQ3LH0mD4d EwIDAQAB -----END PUBLIC KEY----- ``` To use *asymmetric keys*, `type` MUST be set to `RS256` or `RS512`. The secret in this case is the public key of the issuer. ### Loading Secrets From An External Source [](#loading-secrets-from-an-external-source) Instead of configuring secrets statically, they can also be loaded dynamically, using any data available in the JWT token. Example configuration: ``` jwt: keys: keyThree: # Must match 'kid' issuer: http://api.server1.com/oauth2/token loader: 'my.loader.di.key' ``` The loader must implement `KleijnWeb\JwtBundle\Authenticator\SecretLoader`. A simple example that loads the secret from an ambiguous data store: ``` use KleijnWeb\JwtBundle\Authenticator\JwtToken; use KleijnWeb\JwtBundle\Authenticator\SecretLoader; class SimpleSecretLoader implements SecretLoader { /** * @var DataStore */ private $store; /** * @param DataStore $store */ public function __construct(DataStore $store) { $this->store = $store; } /** * @param JwtToken $token * * @return string */ public function load(JwtToken $token) { return $this->store->loadSecretByUsername($token->getClaims()['sub']); } } ``` You could use any information available in the token, such as the `kid`, `alg` or any custom claims. You cannot configure both `secret` and `loader`. Be sure to throw an `AuthenticationException` when appropriate (eg missing claims needed for loading secret). ### Integration Into Symfony Security [](#integration-into-symfony-security) Synopsis: ``` security: firewalls: default: stateless: true jwt: header: X-Header-Name # Defaults to "Authorization", in which case encountered "Bearer" prefixes are stripped provider: jwt providers: jwt: id: jwt.user_provider ``` Using the bundled user provider is optional. This will produce user objects from the token data alone with roles produced from the `aud` claim (and `IS_AUTHENTICATED_FULLY` whether `aud` was set or not). ### Assigning audience to user roles using an alternate UserProvider [](#assigning-audience-to-user-roles-using-an-alternate-userprovider) JwtBundle can assign the audience claims in the JwtToken to the User objects user roles properties. Ideally, this is done in the UserProvider, so that the groups cannot be modified. If this is an acceptable risk, you do not want to use JwtUser/JwtUserProvider, but *do* want JwtBundle to copy `aud` claims to user roles, you can have your User class implement the `KleijnWeb\JwtBundle\User\UnsafeGroupsUserInterface` interface, and JwtBundle will add the roles *after* the user is loaded from the provider. This behavior may be removed in future versions. *NOTE:* This function *only* copies the the roles from the token. ### Issuing Token [](#issuing-token) Issuing tokens is currently limited to `HS256`. To create a token string: ``` $token = new JwtToken([ 'header' => [ 'alg' => 'HS256', 'typ' => 'JWT', 'kid' => 'Optional Key ID' ], 'claims' => [ /* Array of claims */ ], 'secret' => 'Your Secret' ]); $token->getTokenString(); ``` License ------- [](#license) KleijnWeb\\JwtBundle is made available under the terms of the [LGPL, version 3.0](https://spdx.org/licenses/LGPL-3.0.html#licenseText). ### Health Score 27 — LowBetter than 49% of packages Maintenance0 Infrequent updates — may be unmaintained Popularity20 Limited adoption so far Community13 Small or concentrated contributor base Maturity64 Established project with proven stability Bus Factor1 Top contributor holds 73.2% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~87 days Recently: every ~32 days Total 11 Last Release 2957d ago Major Versions v0.12.0 → v1.0.02017-04-06 v0.12.1 → v1.0.22018-04-03 PHP version history (2 changes)v0.9.0PHP >=5.4.0 v1.0.0PHP ^7.0.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/cd6223a727c26ae6be208c1159924e9a2b43a9b11ae0da3afa1e641a49873fae?d=identicon)[kleijnweb](/maintainers/kleijnweb) --- Top Contributors [![johnknl](https://avatars.githubusercontent.com/u/8375560?v=4)](https://github.com/johnknl "johnknl (52 commits)")[![PBXg33k](https://avatars.githubusercontent.com/u/1777196?v=4)](https://github.com/PBXg33k "PBXg33k (18 commits)")[![Zwartpet](https://avatars.githubusercontent.com/u/1200202?v=4)](https://github.com/Zwartpet "Zwartpet (1 commits)") ### Code Quality TestsPHPUnit Code StylePHP\_CodeSniffer ### Embed Badge ![Health badge](/badges/kleijnweb-jwt-bundle/health.svg) ``` [![Health](https://phpackages.com/badges/kleijnweb-jwt-bundle/health.svg)](https://phpackages.com/packages/kleijnweb-jwt-bundle) ``` ### Alternatives [sylius/sylius E-Commerce platform for PHP, based on Symfony framework. 8.4k5.6M651](/packages/sylius-sylius)[prestashop/prestashop PrestaShop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers. 9.0k15.4k](/packages/prestashop-prestashop)[simplesamlphp/simplesamlphp A PHP implementation of a SAML 2.0 service provider and identity provider. 1.1k12.4M193](/packages/simplesamlphp-simplesamlphp)[sulu/sulu Core framework that implements the functionality of the Sulu content management system 1.3k1.3M152](/packages/sulu-sulu)[contao/core-bundle Contao Open Source CMS 1231.6M2.4k](/packages/contao-core-bundle)[gesdinet/jwt-refresh-token-bundle Implements a refresh token system over Json Web Tokens in Symfony 70516.4M35](/packages/gesdinet-jwt-refresh-token-bundle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)