Skip to content

Instantly share code, notes, and snippets.

@ekkinox
Last active January 27, 2021 14:55
Show Gist options
  • Save ekkinox/4417a5be08fcfc456072b8f4f23432e5 to your computer and use it in GitHub Desktop.
Save ekkinox/4417a5be08fcfc456072b8f4f23432e5 to your computer and use it in GitHub Desktop.
<?php
require_once __DIR__ . '/vendor/autoload.php';
use Jose\Component\Core\JWK;
use Jose\Component\Core\JWKSet;
use Jose\Easy\Build;
use Jose\Easy\Load;
use Jose\Component\KeyManagement\JWKFactory;
$time = time(); // The current time
$privateKey = JWKFactory::createFromKeyFile(
__DIR__ . '/config/secrets/dev/private.key',
null,
[
'use' => 'sig',
]
);
$publicKey = JWKFactory::createFromKeyFile(
__DIR__ . '/config/secrets/dev/public.key',
null,
[
'use' => 'sig',
]
);
$privateKey2 = JWKFactory::createFromKeyFile(
__DIR__ . '/config/secrets/dev/private2.key',
null,
[
'use' => 'sig',
]
);
$publicKey2 = JWKFactory::createFromKeyFile(
__DIR__ . '/config/secrets/dev/public2.key',
null,
[
'use' => 'sig',
]
);
$jws = Build::jws() // We build a JWS
->exp($time + 3600) // The "exp" claim
->iat($time) // The "iat" claim
->nbf($time) // The "nbf" claim
->jti('0123456789', true) // The "jti" claim.
// The second argument indicate this pair shall be duplicated in the header
->alg('RS256') // The signature algorithm. A string or an algorithm class.
->iss('issuer') // The "iss" claim
->aud('audience1') // Add an audience ("aud" claim)
->aud('audience2') // Add another audience
->sub('subject') // The "sub" claim
->claim('https://example.com/isRoot', true)
->header('typ', 'JWT')
->sign($privateKey) // Compute the token with the given JWK
;
try {
$jwt = Load::jws($jws) // We want to load and verify the token in the variable $token
->algs(['RS256', 'RS512']) // The algorithms allowed to be used
->exp() // We check the "exp" claim
->iat(1000) // We check the "iat" claim. Leeway is 1000ms (1s)
->nbf() // We check the "nbf" claim
->aud('audience1') // Allowed audience
->iss('issuer') // Allowed issuer
->sub('subject') // Allowed subject
->jti('0123456789') // Token ID
->key($publicKey) // Key used to verify the signature
->run(); // Go!
var_export($jwt);
} catch (Throwable $exception) {
var_export($exception);
}
$jwks = new JWKSet([
$publicKey,
$publicKey2
]);
echo json_encode($jwks);
@ekkinox
Copy link
Author

ekkinox commented Jan 27, 2021

composer.json

{
    "name": "jonathan/jwt",
    "authors": [
        {
            "name": "Jonathan Vuillemin",
            "email": "[email protected]"
        }
    ],
    "require": {
        "web-token/jwt-easy": "^2.2",
        "web-token/jwt-signature-algorithm-rsa": "^2.2",
        "web-token/jwt-key-mgmt": "^2.2"
    }
}

to build keys:

$ mkdir -p config/secrets/dev

$ openssl genrsa -out config/secrets/dev/private.key 2048
$ openssl rsa -in config/secrets/dev/private.key -outform PEM -pubout -out config/secrets/dev/public.key

$ openssl genrsa -out config/secrets/dev/private2.key 2048
$ openssl rsa -in config/secrets/dev/private2.key -outform PEM -pubout -out config/secrets/dev/public2.key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment