Validating tokens
Note
The examples here fetch the configuration object from a hypothetical dependency injection container. You can create it in the same script or require it from a different file. It basically depends on how your system is bootstrapped.
To validate a token you must create a new validator (easier when using the configuration object) and assert or validate a token.
Using Lcobucci\JWT\Validator#assert()
Warning
You MUST provide at least one constraint, otherwise \Lcobucci\JWT\Validation\NoConstraintsGiven
exception will be thrown.
This method goes through every single constraint in the set, groups all the violations, and throws an exception with the grouped violations:
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Token\Plain;
use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
$token = $container->get(Configuration::class);
assert($config instanceof Configuration);
$token = $config->parser()->parse('...');
assert($token instanceof Plain);
$constraints = $config->validationConstraints();
try {
$config->validator()->assert($token, ...$constraints);
} catch (RequiredConstraintsViolated $e) {
// list of constraints violation exceptions:
var_dump($e->violations());
}
Using Lcobucci\JWT\Validator#validate()
Warning
You MUST provide at least one constraint, otherwise \Lcobucci\JWT\Validation\NoConstraintsGiven
exception will be thrown.
The difference here is that we'll always a get a boolean
result and stop in the very first violation:
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Token\Plain;
$token = $container->get(Configuration::class);
assert($config instanceof Configuration);
$token = $config->parser()->parse('...');
assert($token instanceof Plain);
$constraints = $config->validationConstraints();
if (! $config->validator()->validate($token, ...$constraints)) {
throw new RuntimeException('No way!');
}
Available constraints
This library provides the following constraints:
Lcobucci\JWT\Validation\Constraint\IdentifiedBy
: verifies if the claimjti
matches the expected valueLcobucci\JWT\Validation\Constraint\IssuedBy
: verifies if the claimiss
is listed as expected valuesLcobucci\JWT\Validation\Constraint\PermittedFor
: verifies if the claimaud
contains the expected valueLcobucci\JWT\Validation\Constraint\RelatedTo
: verifies if the claimsub
matches the expected valueLcobucci\JWT\Validation\Constraint\SignedWith
: verifies if the token was signed with the expected signer and keyLcobucci\JWT\Validation\Constraint\ValidAt
: verifies the claimsiat
,nbf
, andexp
(supports leeway configuration)
You may also create your own validation constraints.