TheLazy.Dev
Portfolio GitHub

Blog

php |jwt |auth |showdev

Minimalist yet powerful PHP JWT library

adhocore

Jitendra

Posted on August 18, 2018

Minimalist yet powerful PHP JWT library

JWT is cool. But unfortunately almost all JWT implementations are too terse, complex, bloated and offer plenty of public APIs, complex configuration approach etc which can be intimidating and confusing for a starter trying to integrate JWT based auth in any PHP based web application.
Here is a full featured, slim, dependency free, framework agnostic library that I wrote with simplicity in mind. It has been developed for several months already.

GitHub logo adhocore / php-jwt

Ultra lightweight, dependency free and standalone JSON web token (JWT) library for PHP5.6 to PHP8.2. This library makes JWT a cheese. It is a minimal JWT integration for PHP.

adhocore/jwt

If you are new to JWT or want to refresh your familiarity with it, please check jwt.io

Latest Version Build Scrutinizer CI Codecov branch StyleCI Software License Tweet Support

  • Lightweight JSON Web Token (JWT) library for PHP7, PHP8 and beyond.
  • Zero dependency (no vendor bloat).
  • If you still use PHP5.6, use version 0.1.2

Installation

# PHP7.x, PHP8.x
composer require adhocore/jwt

# PHP5.6 (deprecated)
composer require adhocore/jwt:0.1.2

# For PHP5.4-5.5 (deprecated), use version 0.1.2 with a polyfill for https://php.net/hash_equals
Enter fullscreen mode Exit fullscreen mode

Features

  • Six algorithms supported:
'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512'
  • kid support.
  • Leeway support 0-120 seconds.
  • Timestamp spoofing for tests.
  • Passphrase support for RS* algos.

Usage

use Ahc\Jwt\JWT;

// Instantiate with key, algo, maxAge and leeway.
$jwt = new JWT('secret', 'HS256', 3600, 10);
Enter fullscreen mode Exit fullscreen mode

Only the key is required. Defaults will be used for the rest:

$jwt = new JWT('secret')
// algo
Enter fullscreen mode Exit fullscreen mode
View on GitHub

Installation
composer install adhocore/jwt

Usage 

use Ahc\Jwt\JWT;

// Instantiate with key, algo, maxAge and leeway.
$jwt = new JWT('secret', 'HS256', 3600, 10);

// Only the key is required. Defaults will be used for the rest:
// algo = HS256, maxAge = 3600, leeway = 0
$jwt = new JWT('secret');

// For RS* algo, the key should be either a resource like below:
$key = openssl_pkey_new(['digest_alg' => 'sha256', 'private_key_bits' => 1024, 'private_key_type' => OPENSSL_KEYTYPE_RSA]);
// OR, a string with full path to the RSA private key like below:
$key = '/path/to/rsa.key';
// Then, instantiate JWT with this key and RS* as algo:
$jwt = new JWT($key, 'RS384');

// Generate JWT token from payload array.
$token = $jwt->encode([
    'uid'    => 1,
    'aud'    => 'http://site.com',
    'scopes' => ['user'],
    'iss'    => 'http://api.mysite.com',
]);

// Retrieve the payload array.
$payload = $jwt->decode($token);

// Oneliner.
$token   = (new JWT('topSecret', 'HS512', 1800))->encode(['uid' => 1, 'scopes' => ['user']]));
$payload = (new JWT('topSecret', 'HS512', 1800))->decode($token);

// Can pass extra headers into encode() with second parameter.
$token = $jwt->encode($payload, ['hdr' => 'hdr_value']);

// Spoof time() for testing token expiry.
$jwt->setTestTimestamp(time() + 10000);
// Throws Exception.
$jwt->parse($token);

// Call again without parameter to stop spoofing time().
$jwt->setTestTimestamp();
Enter fullscreen mode Exit fullscreen mode

And for your peace of mind, allow me to mention that this library has been adopted for official listing.

💖 💪 🙅 🚩
adhocore
Jitendra

Posted on August 18, 2018

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Minimalist yet powerful PHP JWT library
php Minimalist yet powerful PHP JWT library

August 18, 2018