The JWK and JWKSet objects are provided by the web-token/jwt-core
component. We recommend you to load these objects through environment variables.
With Symfony, an environment variables processor is provided:
With the previous configuration, the environment variables MY_PRIVATE_KEY
and MY_PUBLIC_KEYSET
will be processed by Symfony and the container will contain the my_private_key
and my_public_keyset
with JWK and JWKSet objects respectively.
But it may not be sufficient for your project. You may need to load keys or key sets from other sources (e.g. key file) You may also want to use your keys as a container services you inject to other services.
This behaviour is possible by installing the web-token/jwt-key-mgmt
component. To install it, just execute the following command line:
When the component is installed, you will be able to define your keys in your application configuration and load your keys from several sources or formats. All these methods have the following option:
is_public
: set the service public or private.
The key configuration will look like as follow:
The key will be available as a container service with the ID jose.key.key_name
where key_name
is the unique name of your key. Each key service will be an instance of the Jose\Component\Core\JWK
class.
As any other configuration values, you can use environment variables.
This method will directly get a shared secret.
This method will directly load a JWK object.
This method will load a X509 Certificate file.
This method will load a key from a X509 Certificate.
This method will load a key from a PKCS#1 or PKCS#8 key file.
This method will retrieve a key from a JWKSet service.
You can add custom tags and attributes to the services you create.
All these methods have the following common option:
is_public
: set the service public or private.
The key set configuration will look like as follow:
The key set will be available as a container service with the ID jose.key_set.keyset_name
where keyset_name
is the unique name of your key set. Each key set service will be an instance of the Jose\Component\Core\JWKSet
class.
As any other configuration values, you can use environment variables.
This method will directly get a JWKSet object.
You can load key sets shared by a distant service (e.g. Google, Microsoft, Okta...). You must install and enable the Httplug Bundle.
When done, you have to create a client and enable the JKU Factory service by indicating the request factory service to use:
Important recommendations:
It is highly recommended to use a cache plugin for your HTTP client and thus avoid unnecessary calls to the key set endpoint.
The connection must be secured and certificate verification should not be disabled.
The following example will allow you tu load a key set from a distant URI. The key set must be a JWKSet object.
The following example will allow you tu load a key set from a distant URI. The key set must be a list of X509 certificates.
It can be interesting to share your key sets through an Url. This can easily achieved by adding a dedicated controller. This controller is automatically created by the bundle.
You can enable these routes by adding the following configuration to your routing file.
Then you can share your key set.
Now when you go to the URL http://128.0.0.1:8000/certs
, you will get your key set.
You can add custom tags and attributes to the services you create.