[Q] How to set validationConstraints?

Question

[Q] How to set validationConstraints?

JackQiang888 opened this issue 3 years ago · comments

1 how to set value to validationConstraints? can you give a sample?
2 set the validationConstraints to componensts as this?

'jwt' => [
'class' => bizley\jwt\Jwt::class,
'signer' => bizley\jwt\Jwt::RS256,
'signingKey' => '',
'verifyingKey' => [
'key' => @'pubkey.pem', /* key content /
'passphrase' => '', / key passphrase /
'store' => bizley\jwt\Jwt::STORE_IN_MEMORY, / storage type /
'method' => bizley\jwt\Jwt::METHOD_FILE / method type */
],
'validationConstraints'=> [
**************************
]
],

Bizley · Answer 1 · Wed Aug 04 2021 17:44:40 GMT+0800 (China Standard Time)

Like this for example:

'validationConstraints' => [
    new \Lcobucci\JWT\Validation\Constraint\LooseValidAt(
        new \Lcobucci\Clock\SystemClock(new \DateTimeZone(/* your timezone here */)),
        new \DateInterval('PT1M')
    ),
    new \Lcobucci\JWT\Validation\Constraint\RelatedTo('subject'),
]

JackQiang888 · Answer 2 · Wed Aug 04 2021 17:55:24 GMT+0800 (China Standard Time)

Use the above config,

'jwt' => [
'class' => bizley\jwt\Jwt::class,
'signer' => bizley\jwt\Jwt::RS256,
'signingKey' => '',
'verifyingKey' => [
'key' => @'pubkey.pem', /* key content /
'passphrase' => '', / key passphrase /
'store' => bizley\jwt\Jwt::STORE_IN_MEMORY, / storage type /
'method' => bizley\jwt\Jwt::METHOD_FILE / method type */
],
'validationConstraints' => [
new \Lcobucci\JWT\Validation\Constraint\IdentifiedBy('aaa'),
new \Lcobucci\JWT\Validation\Constraint\RelatedTo('subject')
],
],

function prepareValidationConstraints in jwt.php
$configuredConstraints = $this->getConfiguration()->validationConstraints();

couont array $configuredConstraints is 0

Bizley · Answer 3 · Wed Aug 04 2021 18:00:53 GMT+0800 (China Standard Time)

Yes, it checks if there are preconfigured constraints. If not it proceeds to check validationConstraints.

Euclides Cardoso Júnior · Answer 4 · Sat Aug 07 2021 03:54:15 GMT+0800 (China Standard Time)

When I use as suggested I get a Uncaught Error: Class 'Lcobucci\JWT\Validation\Constraint\LooseValidAt' not found in my \backend\config\main.php. Did I miss something?

Bizley · Answer 5 · Sat Aug 07 2021 03:57:17 GMT+0800 (China Standard Time)

And which version of the package are you using?

Euclides Cardoso Júnior · Answer 6 · Sat Aug 07 2021 03:58:59 GMT+0800 (China Standard Time)

I am using "bizley/jwt": "3.0"

Euclides Cardoso Júnior · Answer 7 · Sat Aug 07 2021 04:03:09 GMT+0800 (China Standard Time)

My config file:

'components' => [
'jwt' => [
'class' => \bizley\jwt\Jwt::class,
'signer' => \bizley\jwt\Jwt::HS256,
'signingKey' => '......',
'validationConstraints' => [
new \Lcobucci\JWT\Validation\Constraint\LooseValidAt(
new \Lcobucci\Clock\SystemClock(new \DateTimeZone('America/Sao_Paulo')),
new \DateInterval('PT1M')
),
]
],
...
]

Bizley · Answer 8 · Sat Aug 07 2021 04:04:36 GMT+0800 (China Standard Time)

LooseValidAt was added in lcobucci/jwt 4.1 which is used in version 3.1.0 of this package.

Euclides Cardoso Júnior · Answer 9 · Sat Aug 07 2021 04:09:05 GMT+0800 (China Standard Time)

Thank you. I updated the version and now it is working

koxu1996 · Answer 10 · Thu Feb 10 2022 18:56:35 GMT+0800 (China Standard Time)

Setting up lcobucci/jwt / bizley/yii2-jwt was a painful process for me:

Errors were silent or not clear; I had to debug library code to find configuration issues.
There are no constraints (validators) configured out-of-the box 😿.

However I finally managed to make it work, so I am sharing code with you guys:

// component configuration
[
    'class' => \bizley\jwt\Jwt::class,
    'signer' => \bizley\jwt\Jwt::RS256,
    'signingKey' => base64_decode("LS0tLS1CRUdJTiBSU0EgUF....."),
    'verifyingKey' => base64_decode("LS0tLS1CRUdJTiBQVUJMS....."),
    'validationConstraints' => function(\bizley\jwt\Jwt $jwt) {
        $signer = $jwt->getConfiguration()->signer();
        $pubKey = $jwt->getConfiguration()->verificationKey();
        $clock = \Lcobucci\Clock\FrozenClock::fromUTC();
        $clock->setTo(new \DateTimeImmutable());
        return [
            new \Lcobucci\JWT\Validation\Constraint\SignedWith($signer, $pubKey),
            new \Lcobucci\JWT\Validation\Constraint\ValidAt($clock),
        ];
    },
]

Bizley · Answer 11 · Thu Feb 10 2022 19:02:19 GMT+0800 (China Standard Time)

Hm, I'm sorry to hear that and I would like to improve it if you could create new issue with that problem and answer at least the questions below:

What errors were silent or not clear?
What configuration issues did you have?
Constraints are done on the lcobucci/jwt side for which this package is only a Yii wrapper - which ones would you like to have configured out-of-the-box and why?

koxu1996 · Answer 12 · Thu Feb 10 2022 19:41:55 GMT+0800 (China Standard Time)

@bizley I am happy to answer your questions.

Ad. 2 My first configuration was like:

[
    'class' => \bizley\jwt\Jwt::class,
    'signer' => \bizley\jwt\Jwt::RS256,
    'signingKey' => base64_decode("LS0tLS1CRUdJTiBSU0EgUF....."),
]

As you can see I choose asymmetric signer, but I forgot to set verifyingKey. I know README tells it must be set, but for such case I would expect getting InvalidConfigException.

Ad. 1 After setting verifyingKey Bearer authentication (bizley\jwt\JwtHttpBearerAuth) was still failing with:

Your request was made with invalid or expired JSON Web Token.

I was really puzzled about that, but after debugging code it appeared Lcobucci\JWT\Validation\NoConstraintsGiven is thrown underneath. I think getting InvalidConfigException could be helpful for such case as well.

Ad. 3 I thought this is the base purpose of JWT:

checking token authenticity (signature verification)
checking token validity in terms of time.