This project is forked from fkooman/php-jwt.
Then I changed the algorithm of EdDSA
to Ed25519
in src\EdDSA.php
file.
That's all.
The following is original readme.
This is small JSON Web Token implementation. It only supports signatures with the following signature algorithms:
HS256
(HMAC
usingSHA-256
)RS256
(RSASSA-PKCS1-v1_5
usingSHA-256
)EdDSA
(Ed25519
, RFC 8037)
The first two seem to be the most widely deployed JWT signature algorithms. The library does NOT support encryption/decryption due to the can of worms that would open. It MAY support encryption/decryption in the future, but definitely not with RSA.
If you are both the signer and the verifier of the JWT use HS256
. If you
issue JWTs that have to be verified by third parties (as well), use EdDSA
. Do
NOT use RS256
if you can
help it.
Quite a number of JWT implementations exist for PHP, varying in quality. However, JWT can be insecure, so it is very important to get things right and as simple as possible from a security perspective. This means implementing the absolute minimum to support JWT, in a secure way. Simplicity and security is more important than fully supporting every nook and cranny of the specification.
- Only supports
RS256
,HS256
andEdDSA
through separate classes, the header is NOT used to determine the algorithm when verifying signatures; - All keys are validated before use and wrapped in "Key" objects to make sure they are of the correct format. Helper methods are provided to load / save / generate keys;
- Does NOT support the crit
header key. If a token is presented with the
crit
header key it will be rejected; - Verifies the
exp
andnbf
payload field if present to make sure the token is already and still valid.
Version | PHP | OS |
---|---|---|
1.x | >= 5.4 | CentOS >= 7 (+EPEL), Debian >= 9 |
2.x | >= 7.2 | CentOS >= 8 (+EPEL), Debian >= 10 |
- PHP >= 7.2
php-hash
(forHS256
)php-openssl
(forRS256
)php-sodium
(forEdDSA
)
Only paragonie/constant_time_encoding
is a dependency.
Currently php-jwt is not hosted on Packagist. It may
be added in the future. In your composer.json
:
"repositories": [
{
"type": "vcs",
"url": "https://git.tuxed.net/fkooman/php-jwt"
},
...
],
"require": {
"fkooman/jwt": "^2",
...
},
You can also download the signed source code archive here.
See the example/
directory for working examples on how to generate keys,
set the Key ID and create and validate JWT tokens.
You can run the included test suite after cloning the repository:
$ /path/to/composer install
$ vendor/bin/phpunit
You can use PHPBench to run some benchmarks comparing the various signature algorithms.
$ /path/to/phpbench run