Signed tokens are loaded by a serializer or the serializer manager and verified by the JWSVerifier
object. This JWSVerifier object just requires an algorithm manager.
In the following example, we will try to load a signed token. We will only use the HS256
algorithm.
Now we can deserialize the input we receive and check the signature using our key. We will continue with the data we got in the JWS creation section.
We do not check header parameters here, but it is very important to do it. This step is described in the Header Checker section.
The method verifyWithKey
returns a boolean. If true, then your token signature is valid. You can then check the claims (if any) using the claim checker manager.
To avoid duplication of code lines, you can create a JWSLoader
object. This object contains a serializer, a verifier and an optional header checker (highly recommended).
In the following example, the JWSLoader
object will try to unserialize the token $token
, check the header parameters and verify the signature with the key $jwk
. The variable $payload
corresponds to the detached payload (null
by default).
If the verification succeeded, the variable $signature
will be set with the signature index and should be in case of multiple signatures. The method returns the JWS object.
In case you use a key set, you can use the method loadAndVerifyWithKeySet
.
This feature was introduced in version 1.1.
The JWSLoaderFactory
object is able to create JWSLoader
objects on demand. It requires the following factories:
JWSSerializerManagerFactory
JWSVerifierFactory
HeaderCheckerManagerFactory
(optional)
This framework comes with several signature algorithms. These algorithms are in the following namespace: Jose\Component\Signature\Algorithm
.
Algorithm | Description |
---|---|
The following signature algorithms are experimental and must not be used in production unless you know what you are doing. They are proposed for testing purpose only.
They are provided throught the package web-token/jwt-experimental
.
Algorithm | Description |
---|---|
These algorithms have to be used with the Algorithm Manager. They do not need any arguments.
Example:
Now that you have an algorithm manager and a key, it is time to create your first signed token.
The computation is done by the JWSBuilder
object. This object only requires the algorithm manager.
Now let's create our first JWS object.
Great! If everything is fine you will get a JWS object with one signature. We want to send it to the audience. Before that, it must be serialized.
We will use the compact serialization mode. This is the most common mode as it is URL safe and very compact. Perfect for a use in a web context!
All good! The variable $token
now contains a string that should be something like this:
Other serialization modes exist. We will see them in the Advanced Topics section.
A very large number of signature algorithms is provided by the library. Please refer to to know what algorithms are available.
Then, you will find an and another incoming tokens.
HS256
HS384
HS512
HMAC with SHA-2 Functions
ES256
ES384
ES512
Elliptic Curve Digital Signature Algorithm (ECDSA)
RS256
RS384
RS512
RSASSA-PKCS1 v1_5
PS256
PS384
PS512
RSASSA-PSS
EdDSA (only with the Ed25519 curve)
Edwards-curve Digital Signature Algorithm (EdDSA)
none
Not a secure algorithm. Please use with caution
RS1
RSASSA-PKCS1 v1_5 with SHA-1 hashing function
HS1
HMAC with SHA-1 hashing function
ES256K
Elliptic curve secp256k1 support