Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
The Symfony Bundle provides Header and Claim Checker Manager Factory services. These services are available when the web-token/jwt-checker component is installed:
You can create Header and Claim Checker Managers using the bundle configuration.
With the previous configuration, the bundle will create public Header and Claim Checker Managers named jose.header_checker.checker1 and jose.claim_checker.checker1 with selected checkers.
Some claim or header checkers are provided by this framework, but it is important to create custom checkers that fit on your application requirements.
In the following example, we will assume that the class exist and implement either Jose\Component\Checker\HeaderChecker or Jose\Component\Checker\ClaimChecker.
These checkers will be loaded by the factories and you will be able to create a header or a claim checker manager using the aliases foo or bar.
This feature was introduced in version 1.1.
You can add custom tags and attributes to the header and claim checker managers.
All these methods have the following common option:
is_public: set the service public or private.
The key set configuration will look like as follow:
The key set will be available as a container service with the ID jose.key_set.keyset_name where keyset_name is the unique name of your key set. Each key set service will be an instance of the Jose\Component\Core\JWKSet class.
As any other configuration values, you can use environment variables.
This method will directly get a JWKSet object.
You can load key sets shared by a distant service (e.g. Google, Microsoft, Okta...). You must install and enable the Httplug Bundle.
When done, you have to create a client and enable the JKU Factory service by indicating the request factory service to use:
Important recommendations:
It is highly recommended to use a cache plugin for your HTTP client and thus avoid unnecessary calls to the key set endpoint.
The connection must be secured and certificate verification should not be disabled.
The following example will allow you tu load a key set from a distant URI. The key set must be a JWKSet object.
The following example will allow you tu load a key set from a distant URI. The key set must be a list of X509 certificates.
It can be interesting to share your key sets through an Url. This can easily achieved by adding a dedicated controller. This controller is automatically created by the bundle.
You must add the following configuration to your routing file.
Then you can share your key set.
Now went you go to the URL http://128.0.0.1:8000/certs, you will get your key set.
This feature was introduced in version 1.1.
You can add custom tags and attributes to the services you create.
When the component is installed, you will be able to define your keys in your application configuration and load your keys from several sources or formats. All these methods have the following option:
is_public: set the service public or private.
The key configuration will look like as follow:
The key will be available as a container service with the ID jose.key.key_name where key_name is the unique name of your key. Each key service will be an instance of the Jose\Component\Core\JWK class.
As any other configuration values, you can use environment variables.
This feature was introduced in version 1.1.
This method will directly get a shared secret.
This method will directly load a JWK object.
This method will load a X509 Certificate file.
This method will load a key from a X509 Certificate.
This method will load a key from a PKCS#1 or PKCS#8 key file.
This method will retrieve a key from a JWKSet service.
This feature was introduced in version 1.1.
You can add custom tags and attributes to the services you create.
The JWK and JWKSet objects are provided by the web-token/jwt-core component. We recommend you to load these objects through environment variables.
With Symfony 3.4 or 4.0+, an environment variables processor is provided:
With the previous configuration, the environment variables MY_PRIVATE_KEY and MY_PUBLIC_KEYSET will be processed by Symfony and the container will contain the my_private_key and my_public_keyset with JWK and JWKSet objects respectively.
But it may not be sufficient for your project. You may need to load keys or key sets from other sources (e.g. key file) You may also want to use your keys as a container services you inject to other services.
This behaviour is possible by installing the web-token/jwt-key-mgmt component. To install it, just execute the following command line:
The Symfony Bundle provides an Algorithm Manager Factory service. The available algorithms depends on the components installed on your application.
This factory handles all algorithms services tagged with jose.algorithm.
Example:
Your algorithm will be available through the algorithm manager factory service and the alias FOO.
When installed, the PBES2-* algorithms available throught the algorithm manager factory. They have the default configuration i.e. salt size = 62 bits and count = 4096. If these values does not fit on your needs, you can create a new algorithm service with your own values:
You can now use your custom alias:
A JWSSerializerManagerFactory is available as a service in your application container:
With this factory, you will be able to create the JWSSerializerManager you need:
You can now use the JWSSerializerManager as explained in the JWS Creation/Loading section.
Available JWS serialization modes are:
jws_compact
jws_json_general
jws_json_flattened
There is also another way to create a JWSSerializerManager object: using the bundle configuration.
With the previous configuration, the bundle will create a public JWS Serializer Manager service named jose.jws_serializer.serializer1 with selected serialization modes.
This feature was introduced in version 1.1.
You can add custom tags and attributes to the services you create.
This framework provides a Symfony bundle that will help you to use the components within your Symfony application. The bundle is available
when you just install the bundle (composer require web-token/jwt-bundle)
when you install the whole framework (composer require web-token/jwt-framework)
If you just install the bundle on an application with Symfony Flex support, then there is nothing to do. Otherwise, you have to register the bundle:
The bundle capabilities will depend on the components installed in your application. The core component is always available.
A JWSBuilderFactory is available as a service in your application container:
With this factory, you will be able to create the JWSBuilder you need:
You can now use the JWSBuilder as explained in the JWS Creation section.
There is also another way to create a JWSBuilder object: using the bundle configuration.
With the previous configuration, the bundle will create a public JWS Builder service named jose.jws_builder.builder1 with selected signature algorithms.
This feature was introduced in version 1.1.
You can add custom tags and attributes to the services you create.
To use the signed tokens (JWS), you have to install the web-token/jwt-signature component.
When this component is installed, signature algorithms are automatically handles by the Algorithm Manager Factory.
A JWSVerifierFactory is available as a service in your application container:
With this factory, you will be able to create the JWSVerifier you need:
You can now use the JWSVerifier as explained in the JWS Creation section.
Reminder: it is important to check the token headers. See the checker section of this documentation.
There is also another way to create a JWSVerifier object: using the bundle configuration.
With the previous configuration, the bundle will create a public JWS Verifier service named jose.jws_verifier.verifier1 with selected signature algorithms.
This feature was introduced in version 1.1.
You can add custom tags and attributes to the services you create.
This feature was introduced in version 1.1.
You can also create JWSLoader objects as services using the configuration of the bundle.
To use the encrypted tokens (JWE), you have to install the .
When this component is installed, encryption algorithms are automatically handles by the Algorithm Manager Factory.
,
,
.
A JWEDecrypterFactory is available as a service in your application container:
With this factory, you will be able to create the JWEDecrypter you need:
You can now use the JWEDecrypter as explained in the JWE Creation section.
Reminder: it is important to check the token headers. See the checker section of this documentation.
There is also another way to create a JWEDecrypter object: using the bundle configuration.
With the previous configuration, the bundle will create a public JWE Decrypter service named jose.jwe_decrypter.decrypter1 with selected encryption algorithms.
This feature was introduced in version 1.1.
You can add custom tags and attributes to the services you create.
This feature was introduced in version 1.1.
You can also create JWELoader objects as services using the configuration of the bundle.
A JWESerializerManagerFactory is available as a service in your application container:
With this factory, you will be able to create the JWESerializerManager you need:
You can now use the JWESerializerManager as explained in the JWE Creation/Loading section.
Available JWE serialization modes are:
jwe_compact
jwe_json_general
jwe_json_flattened
There is also another way to create a JWESerializerManager object: using the bundle configuration.
With the previous configuration, the bundle will create a public JWE Serializer Manager service named jose.jwe_serializer.serializer1 with selected serialization modes.
This feature was introduced in version 1.1.
You can add custom tags and attributes to the services you create.
A JWEBuilderFactory is available as a service in your application container:
With this factory, you will be able to create the JWEBuilder you need:
Available compression methods are:
DEF: deflate (recommended)
GZ: gzip
ZLIB: zlib
You can now use the JWEBuilder as explained in the JWE Creation section.
There is also another way to create a JWEBuilder object: using the bundle configuration.
With the previous configuration, the bundle will create a public JWE Builder service named jose.jwe_builder.builder1 with selected encryption algorithms.
This feature was introduced in version 1.1.
You can add custom tags and attributes to the services you create.
When you want to create keys/key sets, JWS loader/verifier... services, you have to create a dedicated jose section in your configuration. It may confuse your users to configure your bundle and the Jose Framework bundle. Sometimes, you may also want to be sure that the configuration is correctly defined. Lastly, the configuration size increases with numerous details, options or service IDs and it becomes difficult to read or modify.
Hopefully, the Symfony bundle provide a configuration helper: Jose\Bundle\JoseFramework\Helper\ConfigurationHelper. This helper will configure the jose section for you. This helper has to be called in your bundle extension during the prepend step (your extension has to implement Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface).
Let say you want to create a JWK as a service:
For the key configuration, the arguments are:
The container
The name of the service (acme_my_key)
The key type (jwk)
An array with the expected values
An array with the custom tags (optional)
Now a key service named jose.key.acme_my_key will be created. This service is public so you will be able to get it from your container or inject it to your services.
This is exactly the same configuration as the following one:
Please note that the tags have been introduced in version 1.1.
Other methods are:
For the jws section:
public static function addJWSBuilder(ContainerBuilder $container, string $name, array $signatureAlgorithms, bool $is_public = true, array $tags = [])
public static function addJWSVerifier(ContainerBuilder $container, string $name, array $signatureAlgorithms, bool $is_public = true, array $tags = [])
public static function addJWSSerializer(ContainerBuilder $container, string $name, array $serializers, bool $is_public = true, array $tags = [])
For the jwe section:
public static function addJWEBuilder(ContainerBuilder $container, string $name, array $keyEncryptionAlgorithm, array $contentEncryptionAlgorithms, array $compressionMethods = ['DEF'], bool $is_public = true, array $tags = [])
public static function addJWEDecrypter(ContainerBuilder $container, string $name, array $keyEncryptionAlgorithm, array $contentEncryptionAlgorithms, array $compressionMethods = ['DEF'], bool $is_public = true, array $tags = [])
public static function addJWESerializer(ContainerBuilder $container, string $name, array $serializers, bool $is_public = true, array $tags = [])
For the checker section:
public static function addClaimChecker(ContainerBuilder $container, string $name, array $claimCheckers, bool $is_public = true, array $tags = [])
public static function addHeaderChecker(ContainerBuilder $container, string $name, array $headerCheckers, bool $is_public = true, array $tags = [])
For the keys section:
public static function addKey(ContainerBuilder $container, string $name, string $type, array $parameters, array $tags = [])
For the key_sets section:
public static function addKeyset(ContainerBuilder $container, string $name, string $type, array $parameters, array $tags = [])
For the jwk_uris section:
public static function addKeyUri(ContainerBuilder $container, string $name, array $parameters, array $tags = [])
The is available as a public service. You can retrieve it using the container or inject it into your services. It will help you to create JWSLoader objects on demand.
Or using the .
The is available as a public service. You can retrieve it using the container or inject it into your services. It will help you to create JWELoader objects on demand.
Or using the .
Have a look at to see how we configure the Jose Bundle without dedicated configuration