DEV Community

Jitendra
Jitendra

Posted on

Minimalist yet powerful PHP JWT library

JWT is cool. But unfortunately almost all JWT implementations are too terse, complex, bloated and offer plenty of public APIs, complex configuration approach etc which can be intimidating and confusing for a starter trying to integrate JWT based auth in any PHP based web application.
Here is a full featured, slim, dependency free, framework agnostic library that I wrote with simplicity in mind. It has been developed for several months already.

GitHub logo adhocore / php-jwt

Ultra lightweight, dependency free and standalone JSON web token (JWT) library for PHP5.6 to PHP8.2. This library makes JWT a cheese. It is a minimal JWT integration for PHP.

adhocore/jwt

If you are new to JWT or want to refresh your familiarity with it, please check jwt.io

Latest Version Build Scrutinizer CI Codecov branch StyleCI Software License Tweet Support

  • Lightweight JSON Web Token (JWT) library for PHP7, PHP8 and beyond.
  • Zero dependency (no vendor bloat).
  • If you still use PHP5.6, use version 0.1.2

Installation

# PHP7.x, PHP8.x
composer require adhocore/jwt

# PHP5.6 (deprecated)
composer require adhocore/jwt:0.1.2

# For PHP5.4-5.5 (deprecated), use version 0.1.2 with a polyfill for https://php.net/hash_equals
Enter fullscreen mode Exit fullscreen mode

Features

  • Six algorithms supported:
'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512'
  • kid support.
  • Leeway support 0-120 seconds.
  • Timestamp spoofing for tests.
  • Passphrase support for RS* algos.

Usage

use Ahc\Jwt\JWT;

// Instantiate with key, algo, maxAge and leeway.
$jwt = new JWT('secret', 'HS256', 3600, 10);
Enter fullscreen mode Exit fullscreen mode

Only the key is required. Defaults will be used for the rest:

$jwt = new JWT('secret')
// algo
Enter fullscreen mode Exit fullscreen mode

Installation
composer install adhocore/jwt

Usage

use Ahc\Jwt\JWT;

// Instantiate with key, algo, maxAge and leeway.
$jwt = new JWT('secret', 'HS256', 3600, 10);

// Only the key is required. Defaults will be used for the rest:
// algo = HS256, maxAge = 3600, leeway = 0
$jwt = new JWT('secret');

// For RS* algo, the key should be either a resource like below:
$key = openssl_pkey_new(['digest_alg' => 'sha256', 'private_key_bits' => 1024, 'private_key_type' => OPENSSL_KEYTYPE_RSA]);
// OR, a string with full path to the RSA private key like below:
$key = '/path/to/rsa.key';
// Then, instantiate JWT with this key and RS* as algo:
$jwt = new JWT($key, 'RS384');

// Generate JWT token from payload array.
$token = $jwt->encode([
    'uid'    => 1,
    'aud'    => 'http://site.com',
    'scopes' => ['user'],
    'iss'    => 'http://api.mysite.com',
]);

// Retrieve the payload array.
$payload = $jwt->decode($token);

// Oneliner.
$token   = (new JWT('topSecret', 'HS512', 1800))->encode(['uid' => 1, 'scopes' => ['user']]));
$payload = (new JWT('topSecret', 'HS512', 1800))->decode($token);

// Can pass extra headers into encode() with second parameter.
$token = $jwt->encode($payload, ['hdr' => 'hdr_value']);

// Spoof time() for testing token expiry.
$jwt->setTestTimestamp(time() + 10000);
// Throws Exception.
$jwt->parse($token);

// Call again without parameter to stop spoofing time().
$jwt->setTestTimestamp();
Enter fullscreen mode Exit fullscreen mode

And for your peace of mind, allow me to mention that this library has been adopted for official listing.

Top comments (2)

Collapse
 
raininja profile image
raininja

Not sure that this implementation is any better than firebase/php-jwt. No support for EC or other algorithms ...

Collapse
 
adhocore profile image
Jitendra

alright, we can add that if that doesn't hurt the "lean architecture" philosophy of it.
can you open an issue or PR?