Header Checker
When you receive a JWT (JWS or JWE), it is important to check ALL headers parameters BEFORE any other action. In case something went wrong, the token should be rejected.
This is a strong recommendation are there are known vulnerabilities on tokens that are processed without header verification.
Please note that some algorithms may use additional header parameters. Please read carefully the details on the signature or encryption algorithms page.
The header parameters are checked by a Header Checker Manager. This manager can contain several header checkers.
The header parameter crit
(critical) is always checked.
Even if the cypher process will check the alg
/enc
header parameters, it is interesting to check them before to reject tokens earlier.
Header Checker Manager
To create a header checker manager, you will need to add header checkers and at least one token type.
In the following example, we want to check the alg
header parameter for the signed tokens (JWS) received by our application.
You can then call the check
method.
The first parameter is the JWT to check,
The second one is the index of the signature/recipient. It could be ignored if you are not using the Flattened or General JSON Serialization Modes.
In some cases, it could be interesting to reject tokens that do not contain some mandatory header parameters. A list of mandatory parameters can be set as third argument. If one of those parameters is missing an exception is thrown, even if that header parameter have not been checked.
In the following example, an exception will be thrown if the alg
, enc
or crit
parameters is missing.
Provided Header Checker Objects
The library provides several header checker classes you can instantiate and use at will. They are all located in the namespace Jose\Component\Checker
.
Class | Header | Time-based |
---|---|---|
AlgorithmChecker |
| No |
AudienceChecker |
| No |
ExpirationTimeChecker |
| Yes |
IssuedAtChecker |
| Yes |
IssuerChecker |
| No |
NotBeforeChecker |
| Yes |
UnencodedPayloadChecker |
| No |
CallableChecker | Generic object that can execute a callable for checking a particular parameter | No |
IsEqualChecker | Generic object that can compare a particular parameter to a predefined value | No |
For time-based parameter checker classes, a PSR-20 clock object can be used and will be mandatory for 4.0+. This service is required for obtaining the current time or manipulating it in test environments.
Header Checker Manager Factory
The Header Checker Manager Factory will help you to create as many Header Checker Manager as you want to fit on your application requirements.
Custom Header Checker
With the previous examples, we will only check the alg
(algorithm) header parameter. But your application may use other header parameters e.g. cty
, typ
...
The following header checkers are provided:
AlgorithmChecker
: checks thealg
header parameter.AudienceChecker
: checks theaud
header parameter. This is a replicated claim as per the RFC7516 section 5.3UnencodedPayloadChecker
: checks theb64
header parameter. See unencoded payload for more information.
If you need, you can create you own header checker. It must implement the interface Jose\Component\Checker\HeaderChecker
. In the following example, we will check that the protected header parameter custom
is an array with value foo
or bar
.
Last updated