Validating tokens

Note

The examples here fetch the configuration object from a hypothetical dependency injection container. You can create it in the same script or require it from a different file. It basically depends on how your system is bootstrapped.

To validate a token you must create a new validator (easier when using the configuration object) and assert or validate a token.

Using Lcobucci\JWT\Validator#assert()

Warning

You MUST provide at least one constraint, otherwise \Lcobucci\JWT\Validation\NoConstraintsGiven exception will be thrown.

This method goes through every single constraint in the set, groups all the violations, and throws an exception with the grouped violations:

use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Token\Plain;
use Lcobucci\JWT\Validation\InvalidToken;

$token = $container->get(Configuration::class);
assert($config instanceof Configuration);

$token = $config->getParser()->parse('...');
assert($token instanceof Plain);

$constraints = $config->getValidationConstraints();

try {
    $config->getValidator()->assert($token, ...$constraints);
} catch (InvalidToken $e) {
    // list of constraints violation exceptions:
    var_dump($e->violations());
}

Using Lcobucci\JWT\Validator#validate()

Warning

You MUST provide at least one constraint, otherwise \Lcobucci\JWT\Validation\NoConstraintsGiven exception will be thrown.

The difference here is that we'll always a get a boolean result and stop in the very first violation:

use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Token\Plain;

$token = $container->get(Configuration::class);
assert($config instanceof Configuration);

$token = $config->getParser()->parse('...');
assert($token instanceof Plain);

$constraints = $config->getValidationConstraints();

if (! $config->getValidator()->validate($token, ...$constraints)) {
   throw new RuntimeException('No way!');
}

Available constraints

This library provides the following constraints:

  • Lcobucci\JWT\Validation\Constraint\IdentifiedBy: verifies if the claim jti matches the expected value
  • Lcobucci\JWT\Validation\Constraint\IssuedBy: verifies if the claim iss is listed as expected values
  • Lcobucci\JWT\Validation\Constraint\PermittedFor: verifies if the claim aud contains the expected value
  • Lcobucci\JWT\Validation\Constraint\RelatedTo: verifies if the claim sub matches the expected value
  • Lcobucci\JWT\Validation\Constraint\SignedWith: verifies if the token was signed with the expected signer and key
  • Lcobucci\JWT\Validation\Constraint\ValidAt: verifies the claims iat, nbf, and exp (supports leeway configuration)

You may also create your own validation constraints.