1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
# Validating tokens
To validate a token you must create a new validator and assert or validate a token.
## Using `Lcobucci\JWT\Validator#assert()`
This method goes through every single constraint in the set, groups all the violations, and throws an exception with the grouped violations:
```php
<?php
declare(strict_types=1);
use Lcobucci\JWT\Encoding\JoseEncoder;
use Lcobucci\JWT\Token\Parser;
use Lcobucci\JWT\Validation\Constraint\RelatedTo;
use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
use Lcobucci\JWT\Validation\Validator;
require 'vendor/autoload.php';
$parser = new Parser(new JoseEncoder());
$token = $parser->parse(
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
. 'eyJzdWIiOiIxMjM0NTY3ODkwIn0.'
. '2gSBz9EOsQRN9I-3iSxJoFt7NtgV6Rm0IL6a8CAwl3Q'
);
$validator = new Validator();
try {
$validator->assert($token, new RelatedTo('1234567891')); // doesn't throw an exception
$validator->assert($token, new RelatedTo('1234567890'));
} catch (RequiredConstraintsViolated $e) {
// list of constraints violation exceptions:
var_dump($e->violations());
}
```
## Using `Lcobucci\JWT\Validator#validate()`
The difference here is that we'll always get a `boolean` result and stop in the very first violation:
```php
<?php
declare(strict_types=1);
use Lcobucci\JWT\Encoding\JoseEncoder;
use Lcobucci\JWT\Token\Parser;
use Lcobucci\JWT\Validation\Constraint\RelatedTo;
use Lcobucci\JWT\Validation\Validator;
require 'vendor/autoload.php';
$parser = new Parser(new JoseEncoder());
$token = $parser->parse(
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
. 'eyJzdWIiOiIxMjM0NTY3ODkwIn0.'
. '2gSBz9EOsQRN9I-3iSxJoFt7NtgV6Rm0IL6a8CAwl3Q'
);
$validator = new Validator();
if (! $validator->validate($token, new RelatedTo('1234567891'))) {
echo 'Invalid token (1)!', PHP_EOL; // will print this
}
if (! $validator->validate($token, new RelatedTo('1234567890'))) {
echo 'Invalid token (2)!', PHP_EOL; // will not print this
}
```
!!! Note
Some systems make use of components to handle dependency injection.
If your application follows that practice, using a [configuration object](configuration.md) might simplify the wiring of this library.
## Available constraints
This library provides the following constraints:
* `Lcobucci\JWT\Validation\Constraint\IdentifiedBy`: verifies if the claim `jti` matches the expected value
* `Lcobucci\JWT\Validation\Constraint\IssuedBy`: verifies if the claim `iss` is listed as expected values
* `Lcobucci\JWT\Validation\Constraint\PermittedFor`: verifies if the claim `aud` contains the expected value
* `Lcobucci\JWT\Validation\Constraint\RelatedTo`: verifies if the claim `sub` matches the expected value
* `Lcobucci\JWT\Validation\Constraint\SignedWith`: verifies if the token was signed with the expected signer and key
* `Lcobucci\JWT\Validation\Constraint\SignedWithOneInSet`: verifies the token signature against multiple `SignedWithUntilDate` constraints
* `Lcobucci\JWT\Validation\Constraint\SignedWithUntilDate`: verifies if the token was signed with the expected signer and key (until a certain date)
* `Lcobucci\JWT\Validation\Constraint\StrictValidAt`: verifies presence and validity of the claims `iat`, `nbf`, and `exp` (supports leeway configuration)
* `Lcobucci\JWT\Validation\Constraint\LooseValidAt`: verifies the claims `iat`, `nbf`, and `exp`, when present (supports leeway configuration)
* `Lcobucci\JWT\Validation\Constraint\HasClaimWithValue`: verifies that a **custom claim** has the expected value (not recommended when comparing cryptographic hashes)
* `Lcobucci\JWT\Validation\Constraint\HasClaim`: verifies that a **custom claim** is present
You may also create your [own validation constraints](extending-the-library.md#validation-constraints).
|
