corbosman/laravel-passport-claims 1.7.1 incompatible with lcobucci/jwt 3.4.2

Question

corbosman/laravel-passport-claims 1.7.1 incompatible with lcobucci/jwt 3.4.2

byjl opened this issue 4 years ago · comments

I recently did a composer update on my project which resulted in an issue with laravel-passport-claims.
This is the exception I was getting when creating an access token:

Replicating claims as headers is deprecated and will removed from v4.0. Please manually set the header if you need it replicated.

I fixed it by overriding this class: CorBosman\Passport\AccessToken @ convertToJWT with the following changes:

$jwt = (new Builder())
            ->permittedFor($this->getClient()->getIdentifier())
            ->identifiedBy($this->getIdentifier(), false) // second param used to be true
            ->issuedAt(new \DateTimeImmutable('now')) // used to be now()
            ->canOnlyBeUsedAfter(new \DateTimeImmutable('now')) // used to be now()
            ->expiresAt($this->getExpiryDateTime()) // used to be $this->getExpiryDateTime()->getTimestamp()
            ->relatedTo($this->getUserIdentifier())
            ->withClaim('scopes', $this->getScopes());

Thanks

Cor Bosman · Answer 1 · Fri Dec 11 2020 04:09:45 GMT+0800 (China Standard Time)

This is probably due to a problem with the JWT class and has been documented in both Laravel passport and other projects. I released a version 2.0.0 of my package a few days ago which should work, but it also requires Passport 10.1.0 or higher, which made changes to also fix the same issues with the JWT package. There's probably some mix of versions in between where things remain unstable.

Cor Bosman · Answer 2 · Fri Dec 11 2020 04:21:59 GMT+0800 (China Standard Time)

Here you can read more about it: laravel/passport#1381

Basically the JWT package made some changes that causes hard errors in all kinds of projects including laravel passport. I don't see any fixes in the Passport 9 version tree, so I guess passport isnt being fixed for 9.0. This means really the only option is upgrading to 10.1.0+ (and my package 2.0.0), or lock the jwt package on 3.3.3 like people have been doing according to that issue thread.

Joshua Lucas · Answer 3 · Fri Dec 11 2020 04:30:56 GMT+0800 (China Standard Time)

Thank you for pointing me to that thread. I will override the package class until I am able to upgrade my project to use Passport 10 and laravel-passport-claims 2.

& for anyone who may be reading this, locking lcobucci/jwt to 3.3.3 caused issues with authenticating via cookies somehow

Thanks

Cor Bosman · Answer 4 · Fri Dec 11 2020 04:32:31 GMT+0800 (China Standard Time)

I see that passport 9 also made some changes to accomodate this problem, but in the PHP8 commit, that's why I didnt see it. I'll see if I can get this solved in the 1.x version (passport 9) as well.

Cor Bosman · Answer 5 · Fri Dec 11 2020 06:04:38 GMT+0800 (China Standard Time)

I just pushed version 1.8.0, which depends on Passport 9.4.0+. I think that works, at least if I install Laravel7 + Passport9.4 + my package version 1.8.0 I can create tokens with custom claims. Let me know when you have the chance. You probably need to remove your 3.3.3 lock, else it wont install Passport 9.4 I think.

Joshua Lucas · Answer 6 · Tue Dec 15 2020 06:31:40 GMT+0800 (China Standard Time)

yup, that worked, thanks a lot!

Cor Bosman · Answer 7 · Tue Dec 15 2020 06:45:43 GMT+0800 (China Standard Time)

awesome, thanks for testing