How to verify a JWT with several possible key in v6?

Question

How to verify a JWT with several possible key in v6?

chennien opened this issue 2 years ago · comments

According to [issue #214], JWT::decode accepted an array of several possible keys before v6, like this.
$possible_keys = [
'kid1' => 'my_key1',
'kid2' => 'my_key2',
];
$decoded = JWT::decode( $jwt, $possible_keys, ['RS256'] );

May I know how can I achieve the same goal with the new key object in v6?
$decoded = JWT::decode( $jwt, new Key($possible_keys, "RS256") );

I got an error "Fatal error: Uncaught TypeError: Firebase\JWT\JWT::getKey(): Return value must be of type Firebase\JWT\Key, string returned" when I ran above code.

Thank you.

Danilo Polani · Answer 1 · Mon Feb 20 2023 18:52:56 GMT+0800 (China Standard Time)

The new signature of the decode method is:

@param Key|array<string,Key> $keyOrKeyArray

So you can fix that by mapping the array to kid => new key():

use Firebase\JWT\Key;

$keys = [
    'kid1' => 'key1',
    'kid2' => 'key2',
];

JWT::decode(
    $jwt,
    array_map(
        fn (string $key) => new Key($key, 'ALG HERE'),
        $keys
    )
);

@bshaffer maybe we can document this in the README and the release notes of v6?

Abid Hussain · Answer 2 · Wed Apr 26 2023 16:59:58 GMT+0800 (China Standard Time)

thanks brother @danilopolani I was also facing this issue. solved with your solution

Brent Shaffer · Answer 3 · Wed Apr 26 2023 22:30:46 GMT+0800 (China Standard Time)

Thanks @danilopolani ! I updated the release notes to include multiple keys in an array. We should also add this to the README, as, even though it's documented in PHPDoc, it's not shown anywhere in the README.