JWT can be signed or encrypted and both. A nested token is a signed token enclosed in an encrypted one. This order is very important: signed then encrypted.
The NestedTokenLoader and NestedTokenBuilder classes will help you to create nested tokens with ease. Just instal the package web-token/jwt-nested-token. It contains all the classes and dependencies will be directly managed by composer. You can install it if needed.
To instantiate the NestedTokenLoader, you need a JWSLoader and a JWELoader.
Its use is very straightforward, you just have to call the method load using the token, the encryption and signature key sets.
The last argument ($signature in the following example) will represents the signature index of the verified signature. This is only useful when multiple signature support is used.
To instantiate the NestedTokenBuilder, you will need the following components:
a JWSBuilder,
a JWEBuilder,
a JWESerializerManager,
a JWSSerializerManager
Its use is a bit more complicated than the loading as the nested token may be designed for several recipients or may have several signatures.
As a reminder, if one of the following parameter is set, the compact serialization mode cannot be used:
signature unprotected header,
JWE shared unprotected header,
recipient unprotected header,
Additional Authenticated Data.
Hereafter an example of a Symfony application configuration:
This configuration will create two public services:
jose.nested_token_loader.loader_1
jose.nested_token_builder.builder_1
These services can be called from the container (unless private) or injected in your services.
As any other services, you can create a nested token loader or builder from another bundle extension. The following bundle extension class will create the same configuration and services as above.