From v3.x to v4.0
Contrary to upgrading a minor version (where the middle number changes) where no difficulty should be encountered, upgrading a major version (where the first number changes) is subject to significant modifications.
Update the libraries
First of all, you have to make sure you are using the last v3.x release.
Spot deprecations
Next, you have to verify you don’t use any deprecated class, interface, method or property. If you have PHPUnit tests, you can easily get the list of deprecation used in your application.
Breaking Changes
PSR-20 Clock — Constructor Signature Changed
The time-based checkers now require a Psr\Clock\ClockInterface as the first constructor argument. In v3.x, the clock was optional and passed as the last parameter. The argument order has been changed.
This is a breaking change. You must update every instantiation of these classes.
The affected classes are:
Jose\Component\Checker\ExpirationTimeCheckerJose\Component\Checker\IssuedAtCheckerJose\Component\Checker\NotBeforeChecker
Before (v3.x):
After (v4.0):
The internal InternalClock class and the Symfony Bundle service jose.internal_clock have been removed. You must provide your own ClockInterface implementation (e.g. Symfony\Component\Clock\NativeClock).
JWEBuilder and JWEDecrypter — Simplified Constructor
JWEBuilder and JWEDecrypter no longer accept separate Key Encryption and Content Encryption Algorithm Managers, nor a Compression Method Manager. You must now pass a single AlgorithmManager containing all required algorithms.
Before (v3.x):
After (v4.0):
JWEBuilderFactory and JWEDecrypterFactory — Simplified Signatures
The factory classes have also been simplified accordingly.
Before (v3.x):
After (v4.0):
The same applies to JWEDecrypterFactory.
Compression Support Removed
Compression methods (DEF / Deflate) that were deprecated in v3.3 have been fully removed. This follows the security recommendation from RFC 8725 Section 3.6. If your application uses JWE compression, you must remove it before upgrading.
The following classes have been removed:
Jose\Component\Encryption\Compression\CompressionMethodManagerJose\Component\Encryption\Compression\DeflateAll compression-related interfaces and classes
Removed Dependencies
The following dependencies have been removed. If you relied on them directly, you may need to adjust your code:
fgrosse/phpasn1— replaced byspomky-labs/pki-frameworkparagonie/constant_time_encoding— replaced by an internalBase64UrlSafeutilitypsr/http-clientandpsr/http-factory— replaced bysymfony/http-client-contracts
Version Bumped
All previous major releases of the following packages are not supported anymore. Please make sure your platform can use them.
PHP: 8.2+brick/math: 0.12+symfony/*: 7.0+spomky-labs/pki-framework: 1.2.1+ (new dependency, replacesfgrosse/phpasn1)psr/clock: 1.0+ (new dependency for PSR-20 Clock)
Deprecated Packages
The following packages are deprecated. Please install web-token/jwt-library or web-token/jwt-experimental instead.
In addition to the new library or experimental packages, you may need to require third party dependencies such as ext-sodium, ext-openssl or similar extensions.
web-token/jwt-util-eccweb-token/jwt-key-mgmtweb-token/jwt-coreweb-token/jwt-checkerweb-token/jwt-consoleweb-token/jwt-signatureweb-token/signature-packweb-token/jwt-signature-algorithm-*web-token/jwt-encryptionweb-token/encryption-packweb-token/jwt-encryption-algorithm-*web-token/jwt-nested-token
New Features
New Checkers
Two new generic checker classes have been added:
Jose\Component\Checker\CallableChecker— allows custom validation logic via a callable. Implements bothClaimCheckerandHeaderChecker.Jose\Component\Checker\IsEqualChecker— simple equality validation for claims and headers. Implements bothClaimCheckerandHeaderChecker.
ECDH-SS (Static-Static) Key Agreement
New key encryption algorithms have been added for ECDH Static-Static key agreement:
ECDH-SSECDH-SS+A128KWECDH-SS+A192KWECDH-SS+A256KW
Code Modernization
Classes throughout the framework now use modern PHP 8.2+ features:
readonlyclass declarationsConstructor property promotion
#[Override]attribute on overridden methods (PHP 8.3 compatibility)Stricter type declarations
Package Structure Reorganization
The internal file structure has been reorganized:
All core component classes are now in
src/Library/(namespaceJose\Component\is unchanged)The Symfony Bundle is now in
src/Bundle/(namespaceJose\Bundle\JoseFramework\is unchanged)Experimental features are in
src/Experimental/(namespaceJose\Experimental\)A
src/Deprecated/folder provides backward compatibility with old package references
The PHP namespaces have not changed. If you use the public API, your code should continue to work without modification.
Upgrade the dependencies and the libraries
Please install PHP 8.2 or a newer version on your platform. Make sure the OpenSSL extension is installed (required). You may also need Sodium depending on the algorithms you want to use (EdDSA, ECDH-ES with X25519).
The json and mbstring extensions are built-in with PHP 8.2+ and no longer need to be installed separately.
It is now time to upgrade the libraries. In your composer.json, change all web-token/* dependencies from v3.x to v4.0. When done, execute composer update.
You can also update all other dependencies if needed. You can list upgradable libraries by calling composer outdated. This step is not mandatory, but highly recommended.
Rector is a very nice tool for code upgrade. We highly recommend it.
Last updated
Was this helpful?