Validating tokens

Note

The examples here fetch the configuration object from a hypothetical dependency injection container. You can create it in the same script or require it from a different file. It basically depends on how your system is bootstrapped.

To validate a token you must create a new validator (easier when using the configuration object) and assert or validate a token.

Using Lcobucci\JWT\Validator#assert()

This method goes through every single constraint in the set, groups all the violations, and throws an exception with the grouped violations:

use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Token\Plain;
use Lcobucci\JWT\Validation\InvalidToken;

$token = $container->get(Configuration::class);
assert($config instanceof Configuration);

$token = $config->getParser()->parse('...');
assert($token instanceof Plain);

$constraints = $config->getValidationConstraints();

try {
    $config->getValidator()->assert($token, ...$constraints);
} catch (InvalidToken $e) {
    // list of constraints violation exceptions:
    var_dump($e->violations());
}

Using Lcobucci\JWT\Validator#validate()

The difference here is that we'll always a get a boolean result and stop in the very first violation:

use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Token\Plain;

$token = $container->get(Configuration::class);
assert($config instanceof Configuration);

$token = $config->getParser()->parse('...');
assert($token instanceof Plain);

$constraints = $config->getValidationConstraints();

if (! $config->getValidator()->validate($token, ...$constraints)) {
   throw new RuntimeException('No way!');
}

Available constraints

This library provides the following constraints:

  • Lcobucci\JWT\Validation\Constraint\IdentifiedBy: verifies if the claim jti matches the expected value
  • Lcobucci\JWT\Validation\Constraint\IssuedBy: verifies if the claim iss is listed as expected values
  • Lcobucci\JWT\Validation\Constraint\PermittedFor: verifies if the claim aud contains the expected value
  • Lcobucci\JWT\Validation\Constraint\RelatedTo: verifies if the claim sub matches the expected value
  • Lcobucci\JWT\Validation\Constraint\SignedWith: verifies if the token was signed with the expected signer and key
  • Lcobucci\JWT\Validation\Constraint\ValidAt: verifies the claims iat, nbf, and exp (supports leeway configuration)

You may also create your own validation constraints.