[Q] How to set validationConstraints?
JackQiang888 opened this issue · comments
1 how to set value to validationConstraints? can you give a sample?
2 set the validationConstraints to componensts as this?
'jwt' => [
'class' => bizley\jwt\Jwt::class,
'signer' => bizley\jwt\Jwt::RS256,
'signingKey' => '',
'verifyingKey' => [
'key' => @'pubkey.pem', /* key content /
'passphrase' => '', / key passphrase /
'store' => bizley\jwt\Jwt::STORE_IN_MEMORY, / storage type /
'method' => bizley\jwt\Jwt::METHOD_FILE / method type */
],
'validationConstraints'=> [
**************************
]
],
Like this for example:
'validationConstraints' => [
new \Lcobucci\JWT\Validation\Constraint\LooseValidAt(
new \Lcobucci\Clock\SystemClock(new \DateTimeZone(/* your timezone here */)),
new \DateInterval('PT1M')
),
new \Lcobucci\JWT\Validation\Constraint\RelatedTo('subject'),
]
Use the above config,
'jwt' => [
'class' => bizley\jwt\Jwt::class,
'signer' => bizley\jwt\Jwt::RS256,
'signingKey' => '',
'verifyingKey' => [
'key' => @'pubkey.pem', /* key content /
'passphrase' => '', / key passphrase /
'store' => bizley\jwt\Jwt::STORE_IN_MEMORY, / storage type /
'method' => bizley\jwt\Jwt::METHOD_FILE / method type */
],
'validationConstraints' => [
new \Lcobucci\JWT\Validation\Constraint\IdentifiedBy('aaa'),
new \Lcobucci\JWT\Validation\Constraint\RelatedTo('subject')
],
],
function prepareValidationConstraints in jwt.php
$configuredConstraints
= $this->getConfiguration()->validationConstraints();
couont array $configuredConstraints is 0
Yes, it checks if there are preconfigured constraints. If not it proceeds to check validationConstraints
.
When I use as suggested I get a Uncaught Error: Class 'Lcobucci\JWT\Validation\Constraint\LooseValidAt' not found in my \backend\config\main.php. Did I miss something?
And which version of the package are you using?
My config file:
'components' => [
'jwt' => [
'class' => \bizley\jwt\Jwt::class,
'signer' => \bizley\jwt\Jwt::HS256,
'signingKey' => '......',
'validationConstraints' => [
new \Lcobucci\JWT\Validation\Constraint\LooseValidAt(
new \Lcobucci\Clock\SystemClock(new \DateTimeZone('America/Sao_Paulo')),
new \DateInterval('PT1M')
),
]
],
...
]
LooseValidAt
was added in lcobucci/jwt
4.1 which is used in version 3.1.0 of this package.
Thank you. I updated the version and now it is working
Setting up lcobucci/jwt
/ bizley/yii2-jwt
was a painful process for me:
- Errors were silent or not clear; I had to debug library code to find configuration issues.
- There are no constraints (validators) configured out-of-the box 😿.
However I finally managed to make it work, so I am sharing code with you guys:
// component configuration
[
'class' => \bizley\jwt\Jwt::class,
'signer' => \bizley\jwt\Jwt::RS256,
'signingKey' => base64_decode("LS0tLS1CRUdJTiBSU0EgUF....."),
'verifyingKey' => base64_decode("LS0tLS1CRUdJTiBQVUJMS....."),
'validationConstraints' => function(\bizley\jwt\Jwt $jwt) {
$signer = $jwt->getConfiguration()->signer();
$pubKey = $jwt->getConfiguration()->verificationKey();
$clock = \Lcobucci\Clock\FrozenClock::fromUTC();
$clock->setTo(new \DateTimeImmutable());
return [
new \Lcobucci\JWT\Validation\Constraint\SignedWith($signer, $pubKey),
new \Lcobucci\JWT\Validation\Constraint\ValidAt($clock),
];
},
]
Hm, I'm sorry to hear that and I would like to improve it if you could create new issue with that problem and answer at least the questions below:
- What errors were silent or not clear?
- What configuration issues did you have?
- Constraints are done on the lcobucci/jwt side for which this package is only a Yii wrapper - which ones would you like to have configured out-of-the-box and why?
@bizley I am happy to answer your questions.
Ad. 2 My first configuration was like:
[
'class' => \bizley\jwt\Jwt::class,
'signer' => \bizley\jwt\Jwt::RS256,
'signingKey' => base64_decode("LS0tLS1CRUdJTiBSU0EgUF....."),
]
As you can see I choose asymmetric signer, but I forgot to set verifyingKey
. I know README tells it must be set, but for such case I would expect getting InvalidConfigException
.
Ad. 1 After setting verifyingKey
Bearer authentication (bizley\jwt\JwtHttpBearerAuth
) was still failing with:
Your request was made with invalid or expired JSON Web Token.
I was really puzzled about that, but after debugging code it appeared Lcobucci\JWT\Validation\NoConstraintsGiven
is thrown underneath. I think getting InvalidConfigException
could be helpful for such case as well.
Ad. 3 I thought this is the base purpose of JWT:
- checking token authenticity (signature verification)
- checking token validity in terms of time.