PHPackages                             mittwald-flow/jwt-auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. mittwald-flow/jwt-auth

AbandonedArchivedTypo3-flow-package[Authentication &amp; Authorization](/categories/authentication)

mittwald-flow/jwt-auth
======================

Authenticate users with JSON web tokens

1381PHP

Since Sep 4Pushed 10y ago3 watchersCompare

[ Source](https://github.com/mittwald/flow-jwt-auth)[ Packagist](https://packagist.org/packages/mittwald-flow/jwt-auth)[ RSS](/packages/mittwald-flow-jwt-auth/feed)WikiDiscussions master Synced 1mo ago

READMEChangelogDependenciesVersions (1)Used By (0)

Stateless authentication with JSON web tokens for TYPO3 Flow
============================================================

[](#stateless-authentication-with-json-web-tokens-for-typo3-flow)

Author and Copyright
--------------------

[](#author-and-copyright)

Martin Helmich
Mittwald CM Service GmbH &amp; Co. KG

This package is [MIT-licensed](LICENSE.txt).

Synopsis
--------

[](#synopsis)

This package implements an authentication provider for TYPO3 Flow that authenticates users based on [JSON Web Tokens](http://jwt.io). JWTs can be supplied using a configurable custom HTTP header (`X-JWT` per default), a cookie or a query parameter.

Installation
------------

[](#installation)

You can install this package using Composer:

```
$ composer require mittwald-flow/jwt-auth

```

Basic considerations and design choices
---------------------------------------

[](#basic-considerations-and-design-choices)

- This package does *authentication only*. It will not issue new tokens. This package's only purpose is to authenticate users by JSON Web Tokens that are issued by a trusted, third-party identity provider.
- JWT authentication is stateless. This means that when using JWT authentication, Flow will not start any kind of session, but authenticate you each time anew based on the access token.
- Accounts authenticated by this package are not persistent. This is done on purpose, since claims for a user might change when the same user authenticates with a different token.

Configuration
-------------

[](#configuration)

There are several settings that you need to configure in your TYPO3 Flow settings.

### Verification key

[](#verification-key)

This package needs a key to authenticate tokens. This can either be a random character string for tokens that use a symmetric authentication code (HMAC) or an RSA public key. To configure this key, you can use one of two settings:

1. `Mw.JwtAuth.security.key` to directly specify the key:

    ```
    Mw:
      JwtAuth:
        security:
          key: |
            -----BEGIN PUBLIC KEY-----
            MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuurXQ9FbDxK9EQL9gw/f
            KJVdo/33j8zDOxemH6fV/KWp/fEMwez77GC3J5ze/A1o/ue4FVz/8fJ8PMGO3ag9
            drIHyWgs4FYBpQZ1BqA78b6nWJeJ8Zbsv71r+Bpb5UUJBBHZ85Sa13sl3ZN0L0E0
            XD/NYD1Sh31qoccZU57l6g4PWScxUZYGWc/OeT07HbUjaFzL/YpQZUKH+KoqoIOD
            UiZkf44ear4dGzNeR0UQ01VIZj7RaJ1uhAZVsNLoqPKGyjmgEZz70DDbMlxEXiMi
            Q/2Thd3bklr0IpZpL7JwHw9MrVS32NkustFgG6uYv/mvw10Zll9CCAUib3QIGlZV
            uQIDAQAB
            -----END PUBLIC KEY-----
    ```
2. `Mw.JwtAuth.security.keyUrl` to specify a `fopen`-able URL from which the key can be retrieved:

    ```
    Mw:
      JwtAuth:
        security:
          keyUrl: https://identity.service.consul/key
    ```

When you specify both settings, the `Mw.JwtAuth.security.key` setting will take precedence.

### Claim-to-account mapping

[](#claim-to-account-mapping)

You can also configure how the claims encoded in the JWT should be mapped to the TYPO3 Flow user account. For instance, when the JWT claims contain a field that describes a user type, you can map this on a TYPO3 Flow role.

Consider a JWT claim like the following:

```
{
    "sub": "my-username",
    "type": "customer"
}
```

By default, the `sub` claim will be used as account identifier for the Flow user. You can change this by setting the `Mw.JwtAuth.claimMapping.accountIdentifierField`option.

Furthermore, you can configure which claim contains the user role and how to map claim values to known user roles:

```
Mw:
  JwtAuth:
    claimMapping:
      roleField: type
      roles:
        customer: My.ExamplePackage:Customer
        employee: My.ExamplePackage:Employee
```

### Token sources

[](#token-sources)

You can also configure how the authentication provider should extract the JWT from the HTTP request. A JWT can be contained within a cookie, a custom request header or a query argument. You can configure the token sources using the `Mw.JwtAuth.security.tokenSources`:

```
Mw:
  JwtAuth:
    security:
      tokenSources:
        - from: header
          name: X-Your-Custom-Header
        - from: cookie
          name: MyCookieName
```

This setting can contain a list of multiple token sources. Each of those will be tried in sequence until one of them matches.

###  Health Score

22

—

LowBetter than 22% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity10

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity41

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

### Community

Maintainers

![](https://www.gravatar.com/avatar/5f0cf4eb3d44bff50a8f8dd5a05062c98edaf6d078f16cfae2f41caeb1a5e72a?d=identicon)[mittwald-typo3](/maintainers/mittwald-typo3)

---

Top Contributors

[![martin-helmich](https://avatars.githubusercontent.com/u/2538958?v=4)](https://github.com/martin-helmich "martin-helmich (23 commits)")

### Embed Badge

![Health badge](/badges/mittwald-flow-jwt-auth/health.svg)

```
[![Health](https://phpackages.com/badges/mittwald-flow-jwt-auth/health.svg)](https://phpackages.com/packages/mittwald-flow-jwt-auth)
```

###  Alternatives

[namshi/jose

JSON Object Signing and Encryption library for PHP.

1.8k99.6M101](/packages/namshi-jose)[league/oauth1-client

OAuth 1.0 Client Library

99698.8M106](/packages/league-oauth1-client)[bezhansalleh/filament-shield

Filament support for `spatie/laravel-permission`.

2.8k2.9M88](/packages/bezhansalleh-filament-shield)[gesdinet/jwt-refresh-token-bundle

Implements a refresh token system over Json Web Tokens in Symfony

70516.4M35](/packages/gesdinet-jwt-refresh-token-bundle)[league/oauth2-google

Google OAuth 2.0 Client Provider for The PHP League OAuth2-Client

41721.2M119](/packages/league-oauth2-google)[illuminate/auth

The Illuminate Auth package.

9327.3M1.0k](/packages/illuminate-auth)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)