Validating tokens¶
To validate a token you must create a new validator and assert or validate a token.
Using Lcobucci\JWT\Validator#assert()
¶
This method goes through every single constraint in the set, groups all the violations, and throws an exception with the grouped violations:
<?php
declare(strict_types=1);
use Lcobucci\JWT\Encoding\JoseEncoder;
use Lcobucci\JWT\Token\Parser;
use Lcobucci\JWT\Validation\Constraint\RelatedTo;
use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
use Lcobucci\JWT\Validation\Validator;
require 'vendor/autoload.php';
$parser = new Parser(new JoseEncoder());
$token = $parser->parse(
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
. 'eyJzdWIiOiIxMjM0NTY3ODkwIn0.'
. '2gSBz9EOsQRN9I-3iSxJoFt7NtgV6Rm0IL6a8CAwl3Q'
);
$validator = new Validator();
try {
$validator->assert($token, new RelatedTo('1234567891')); // doesn't throw an exception
$validator->assert($token, new RelatedTo('1234567890'));
} catch (RequiredConstraintsViolated $e) {
// list of constraints violation exceptions:
var_dump($e->violations());
}
Using Lcobucci\JWT\Validator#validate()
¶
The difference here is that we'll always get a boolean
result and stop in the very first violation:
<?php
declare(strict_types=1);
use Lcobucci\JWT\Encoding\JoseEncoder;
use Lcobucci\JWT\Token\Parser;
use Lcobucci\JWT\Validation\Constraint\RelatedTo;
use Lcobucci\JWT\Validation\Validator;
require 'vendor/autoload.php';
$parser = new Parser(new JoseEncoder());
$token = $parser->parse(
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
. 'eyJzdWIiOiIxMjM0NTY3ODkwIn0.'
. '2gSBz9EOsQRN9I-3iSxJoFt7NtgV6Rm0IL6a8CAwl3Q'
);
$validator = new Validator();
if (! $validator->validate($token, new RelatedTo('1234567891'))) {
echo 'Invalid token (1)!', PHP_EOL; // will print this
}
if (! $validator->validate($token, new RelatedTo('1234567890'))) {
echo 'Invalid token (2)!', PHP_EOL; // will not print this
}
Note
Some systems make use of components to handle dependency injection. If your application follows that practice, using a configuration object might simplify the wiring of this library.
Available constraints¶
This library provides the following constraints:
Lcobucci\JWT\Validation\Constraint\IdentifiedBy
: verifies if the claimjti
matches the expected valueLcobucci\JWT\Validation\Constraint\IssuedBy
: verifies if the claimiss
is listed as expected valuesLcobucci\JWT\Validation\Constraint\PermittedFor
: verifies if the claimaud
contains the expected valueLcobucci\JWT\Validation\Constraint\RelatedTo
: verifies if the claimsub
matches the expected valueLcobucci\JWT\Validation\Constraint\SignedWith
: verifies if the token was signed with the expected signer and keyLcobucci\JWT\Validation\Constraint\SignedWithOneInSet
: verifies the token signature against multipleSignedWithUntilDate
constraintsLcobucci\JWT\Validation\Constraint\SignedWithUntilDate
: verifies if the token was signed with the expected signer and key (until a certain date)Lcobucci\JWT\Validation\Constraint\StrictValidAt
: verifies presence and validity of the claimsiat
,nbf
, andexp
(supports leeway configuration)Lcobucci\JWT\Validation\Constraint\LooseValidAt
: verifies the claimsiat
,nbf
, andexp
, when present (supports leeway configuration)Lcobucci\JWT\Validation\Constraint\HasClaimWithValue
: verifies that a custom claim has the expected value (not recommended when comparing cryptographic hashes)Lcobucci\JWT\Validation\Constraint\HasClaim
: verifies that a custom claim is present
You may also create your own validation constraints.