Releases: firebase/php-jwt
v6.1.0
Note: There should be no issues with backwards compatibility unless types were being used incorrectly
- This version is compatible with PHP >= 7.1
- Drop support for PHP 5.3, 5.4, 5.5, 5.6, and 7.0
- Add parameter typing and return types
- Better PHPDoc / IDE support
v6.0.0
Note: This version is compatible with PHP >= 5.3
Backwards Compatibility Breaking Changes
- The second argument of
JWT::decodenow must beFirebase\JWT\Keyorarray<string, Firebase\JWT\Key>(see #376) - The return type of
Firebase\JWT\JWK::parseKeyis nowFirebase\JWT\Key(see #392) - The return type of
Firebase\JWT\JWK::parseKeySetis nowarray<string, Firebase\JWT\Key>(see #376) - The "alg" parameter is required to be set for all JWKS parsed using
Firebase\JWT\JWK::parseKeySet(see #376) - The flag
JSON_UNESCAPED_SLASHESis now used for JSON decoding (see #376) - Constants
ASN1_INTEGER,ASN1_SEQUENCE, andASN1_BIT_STRINGhave been removed (see #376) JWT::encoderequires third argument$alg(see #377)JWT::signrequires third argument$alg(see #377)
Using Firebase\JWT\Key
Using the Key object in JWT::decode
As a security fix, to avoid key type confusion (see #351), use of Firebase\JWT\Key is now required when decoding:
use Firebase\JWT\JWT;
// previous (v5.5.1 and below)
$decoded = JWT::decode($jwt, $publicKey, 'RS256');
// new (v6.0.0)
use Firebase\JWT\Key;
$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));And when you have more than one key, the second argument can be an array of Key objects:
use Firebase\JWT\JWT;
// previous (v5.5.1 and below)
$decoded = JWT::decode($jwt, [$publicKey1, $publicKey2], 'RS256');
// new (v6.0.0)
use Firebase\JWT\Key;
$decoded = JWT::decode($jwt, [
'kid1' => new Key($publicKey1, 'RS256'),
'kid2' => new Key($publicKey2, 'RS256')
]); Note: When providing multiple keys, you must provide the matching $kid as the fourth parameter
to the JWT::encode function
Using the Key object in JWK::parseKey and JWK::parseKeySet
Calls to JWK::parseKey and JWK::parseKeySet now return a Key object and an array
of Key objects respectively.
use Firebase\JWT\JWK;
// previous (v5.5.1 and below)
$key = JWK::parseKey($jwk); // $key is a resource
$keys = JWK::parseKeySet($jwks); // $keys is an associative array key ID to resources
// new (v6.0.0)
$key = JWK::parseKey($jwk); // $key is a Key object
$keys = JWK::parseKeySet($jwks); // $keys is an associative array of key ID to Key objectsIf the keys in your JWKS do not contain the "alg", you need to set it manually to the expected algorithm, for it to be able to parse successfully:
// new (v6.0.0) for JWKS which do not contain "alg"
foreach ($jwks as $k => $jwks) {
$jwks[$k]['alg'] = 'RS256'; // the expected alg of your JWKS
}
$keys = JWK::parseKeySet($jwks); // $keys is an associative array of key ID to Key objectsv5.5.1
v5.5.0
!!IMPORTANT!!
The recommended usage of this library has changed.
A Key object should now be used as the second argument to JWT::decode instead of using the
allowed_algs array. This will prevent key/algorithm type confusion:
// Previous way to call "decode"
Firebase\JWT\JWT::decode($jwt, $publicKey, ['RS256']);
// New (safer) way to call "decode"
$key = new Firebase\JWT\Key($publicKey, 'RS256');
Firebase\JWT\JWT::decode($jwt, $key);Please see #351 for more information on the issue, and #365 for the merged changes.
The README has also been updated to reflect the new usage.
v5.4.0
v5.3.0
v5.2.1
v5.2.0
v5.1.0
v5.0.0 / 2017-06-27
Changelog:
- Support RS384 and RS512.
See #117. Thanks @joostfaassen! - Add an example for RS256 openssl.
See #125. Thanks @akeeman! - Detect invalid Base64 encoding in signature.
See #162. Thanks @psignoret! - Update
JWT::verifyto handle OpenSSL errors.
See #159. Thanks @bshaffer! - Add
arraytype hinting todecodemethod
See #101. Thanks @hywak! - Add all JSON error types.
See #110. Thanks @gbalduzzi! - Bugfix 'kid' not in given key list.
See #129. Thanks @stampycode! - Miscellaneous cleanup, documentation and test fixes.
See #107, #115, #160, #161, and #165. Thanks @akeeman, @chinedufn, and @bshaffer!