Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This framework needs at least:
PHP 8.1+,
Extensions:
MBString
JSON
Depending on the algorithms you using, other PHP extensions may be required (e.g. OpenSSL, Sodium).
Please note that cypher operation may be really slow, especially RSA functions. It is highly recommended to enable GMP or BCMath.
JWS or JWE objects support every input that can be encoded into JSON:
string
, array
, integer
, float
...
Objects that implement the \JsonSerializable
interface such as JWK
or JWKSet
The detached payload is supported.
Compact
YES
YES
Flattened JSON
YES
YES
General JSON
YES
YES
Deflate (DEF
)
YES
The library is able to support any other compression methods just by declaring new classes.
oct
YES
Symmetric keys
RSA
YES
RSA based asymmetric keys
EC
YES
Elliptic Curves based asymmetric keys
OKP
YES
Octet Key Pair based asymmetric keys
JWK objects support JSON Web Key Thumbprint (RFC 7638).
A none
key type for the none
algorithm. It is used to explicitly allow this unsecured algorithm.
JWKSet is fully supported.
HS256
HS384
HS512
YES
ES256
ES384
ES512
YES
RS256
RS384
RS512
YES
PS256
PS384
PS512
YES
GMP or BCMath extension is highly recommended
none
YES
Please note that this is not a secured algorithm. USE IT WITH CAUTION!
EdDSA with Ed25519 curve
YES
EdDSA with Ed448 curve
NO
No extension or built-in implementation available
Other signature algorithms like RS1
, HS1
or HS256/64
are also available. These algorithms should be used for testing purpose only or for compatibility with old systems
dir
YES
RSA1_5
RSA-OAEP
RSA-OAEP-256
YES
ECDH-ES
ECDH-ES+A128KW
ECDH-ES+A192KW
ECDH-ES+A256KW
YES
A128KW
A192KW
A256KW
YES
PBES2-HS256+A128KW
PBES2-HS384+A192KW
PBES2-HS512+A256KW
YES
A128GCMKW
A192GCMKW
A256GCMKW
YES
ECDH-ES with X25519 curve
YES
ECDH-ES with X448 curve
NO
Other encryption algorithms like RSA-OEAP-384
or ChaCha20-Poly1305
are also available. These algorithms should be used for testing purpose only or for compatibility with old systems
For RSA-based encryption algorithms, it is highly recommended to install GMP or BCMath extension.
The algorithms RSA1_5
and RSA-OAEP
are now deprecated. Please use with caution.
A128CBC+HS256
A192CBC+HS384
A256CBC+HS512
YES
A128GCM
A192GCM
A256GCM
YES
Other encryption algorithms like A128CTR
, A192CTR
and A256CTR
are also available. These algorithms should be used for testing purpose only or for compatibility with old systems
The framework has been successfully tested using PHP 8.1
with all algorithms.
Tests vectors from the are fully implemented and all tests pass. Other test vector sources may be used (e.g. new algorithm specifications).
We also track bugs and code quality using PHPStan and several extensions.
Coding Standards are verified by Easy Coding Standards.
Requests for new features, bug fixed and all other ideas to make this framework useful are welcome. If you feel comfortable writing code, you could try to fix or .
Do not forget to .
If you think you have found a security issue, DO NOT open an issue. .
For each cryptographic operation, you will need at least one algorithm and one key.
The algorithm list depends on the cypher operation to be performed (signature or encryption).
These algorithms are managed by an Algorithm Manager. In the following example, we will create an algorithm manager that will handle two algorithms: PS256
and ES512
.
The algorithm management is part of the web-token/jwt-core
component. The signature algorithms are available in dedicated packages. See or algorithm pages for more information.
It is not possible to set the same algorithm twice in the same algorithm manager.
Your application may need several algorithm managers for several use cases. For example you application may use JWT for:
signed events,
authentication tokens.
To avoid mixing algorithms in one algorithm manager or instantiate several times the same algorithms, this framework provides an Algorithm Manager Factory.
This factory will create algorithm managers on demand. It allows the same algorithm to be instantiated multiple times but with different configuration options.
Each algorithm is identified using an alias.
The first argument of the method add
is the alias for the algorithm. It must be unique. In general, this alias corresponds to the algorithm name.
As you can see in the example, we added the algorithm PBES2-HS512+A256KW
twice:
with the default configuration,
with custom arguments.
Now our algorithm manager factory is ready. We can create several algorithm managers by passing a list of aliases to the method create
: