How to use JWT and JWS for API authentication in PHP

In today's information age, API is no longer just a technology in the software development process, it has become an indispensable component in modern Web applications. Since API interfaces are vulnerable to attacks, security is one of the important considerations when developing APIs. JWT (JSON Web Token) and JWS (JSON Web Signature) are two authentication methods commonly used to secure APIs.

JWT is a JSON-based security token used to transmit information between communicating parties. It consists of three parts: header, payload and signature. The header describes the token type and algorithm, the payload contains the required information, and the signature is used to verify the authenticity of the token. When using JWT, this token will be used as the authentication token for API requests.

JWS is a standard for adding digital signatures to text strings. It allows messages to be transmitted securely in untrusted environments and ensures sender authentication and message integrity. JWS typically uses SHA-256 or SHA-512 algorithms to generate signatures.

In this article, we will explore how to use JWT and JWS in PHP for API authentication.

Step 1: Install dependencies

First, we need to install some dependencies to support JWT and JWS. Install the dependencies using the following command:

composer require firebase/php-jwt
composer require lcobucci/jwt

Step 2: Generate JWT

Before using JWT, we need to generate the JWT first. The following is the PHP code used to generate the JWT:

use FirebaseJWTJWT;

// Set up the JWT payload data
$payload = array(
    "sub" => "1234567890",
    "name" => "John Doe",
    "iat" => 1516239022
);

// Set up the JWT secret key
$secret_key = "YOUR_SECRET_KEY";

// Generate the JWT
$jwt = JWT::encode($payload, $secret_key);

With this code, we successfully generated a JWT. In this code we set the headers, payload and signature. The header contains the type and algorithm of the JWT, the payload consists of the data we provide, such as user ID, username, etc., and the signature is used to verify the authenticity of the token.

Step 3: Verify the JWT

The next step is to verify the JWT. We need to use the following code to verify the JWT:

use FirebaseJWTJWT;

// Set up the JWT secret key
$secret_key = "YOUR_SECRET_KEY";

// Get the JWT from the request headers
$jwt = getAuthorizationHeader();

// Verify the JWT
try {
    $payload = JWT::decode($jwt, $secret_key, array('HS256'));
} catch (Exception $e) {
    // If the JWT is invalid, return an error response
    return json_encode(array(
        'success' => false,
        'message' => 'Invalid JWT'
    ));
}

// If the JWT is valid, return a success response with the payload data
return json_encode(array(
    'success' => true,
    'message' => 'Valid JWT',
    'payload' => $payload
));

// Function to get the Authorization header from the request
function getAuthorizationHeader()
{
    $headers = apache_request_headers();

    if (isset($headers['Authorization'])) {
        return $headers['Authorization'];
    } else {
        return null;
    }
}

In this code, we use the JWT::decode() function to verify the JWT. If validation is successful, an object containing the JWT payload data will be returned, otherwise the caught exception will be returned with an error response.

Step 4: Generate JWS

Now that we have mastered how to generate and validate a JWT, we will learn how to use JWS to secure an API. The following is a PHP code snippet that generates JWS:

use LcobucciJWTBuilder;
use LcobucciJWTSignerHmacSha256;

// Set up the JWT signer
$signer = new Sha256();

// Set up the JWT builder
$builder = new Builder();
$builder->setIssuer('http://example.com');
$builder->setAudience('http://example.org');
$builder->setId('4f1g23a12aa', true);
$builder->setIssuedAt(time());
$builder->setExpiration(time() + 3600);
$builder->set('uid', 1);

// Sign the JWT
$token = $builder->sign($signer, 'YOUR_SECRET_KEY')->getToken();

// Get the token string
$jwt = (string) $token;

Step 5: Verify JWS

The last step is to verify the JWS, we need to use the following code:

use LcobucciJWTValidationData;

// Set up the JWT secret key
$secret_key = "YOUR_SECRET_KEY";

// Get the JWT from the request headers
$jwt = getAuthorizationHeader();

// Verify the JWS
$token = $signer->loadToken($jwt);
$validationData = new ValidationData();
$validationData->setIssuer('http://example.com');
$validationData->setAudience('http://example.org');
$validationData->setId('4f1g23a12aa');
$validationData->setCurrentTime(time());

if (!$token->validate($validationData) || !$token->verify($signer, $secret_key)) {
    // If the JWS is invalid, return an error response
    return json_encode(array(
        'success' => false,
        'message' => 'Invalid JWS'
    ));
}

// If the JWS is valid, return a success response with the payload data
$payload = $token->getClaims();
return json_encode(array(
    'success' => true,
    'message' => 'Valid JWS',
    'payload' => $payload
));

In this paragraph In the code, we use the loadToken() method to load the JWT into the validator, use the validate() method to verify the content of the JWT, and use the verify() method to verify that the JWT signature is correct. Finally, we provide a valid response containing the data from the payload obtained from the JWS if the validation was successful.

Conclusion

Overall, using JWT and JWS for API authentication in PHP is very good practice. Using these techniques, we can ensure that the API is only accessed by authorized users and protect the API from malicious users. By following the above steps, we can easily implement this secure authentication in PHP.

The above is the detailed content of How to use JWT and JWS for API authentication in PHP. For more information, please follow other related articles on the PHP Chinese website!