Skip to content

v6.0.0

Compare
Choose a tag to compare
@bshaffer bshaffer released this 24 Jan 15:19
· 72 commits to main since this release
0541cba

Note: This version is compatible with PHP >= 5.3

Backwards Compatibility Breaking Changes

  • The second argument of JWT::decode now must be Firebase\JWT\Key or array<string, Firebase\JWT\Key> (see #376)
  • The return type of Firebase\JWT\JWK::parseKey is now Firebase\JWT\Key (see #392)
  • The return type of Firebase\JWT\JWK::parseKeySet is now array<string, Firebase\JWT\Key> (see #376)
  • The "alg" parameter is required to be set for all JWKS parsed using Firebase\JWT\JWK::parseKeySet (see #376)
  • The flag JSON_UNESCAPED_SLASHES is now used for JSON decoding (see #376)
  • Constants ASN1_INTEGER, ASN1_SEQUENCE, and ASN1_BIT_STRING have been removed (see #376)
  • JWT::encode requires third argument $alg (see #377)
  • JWT::sign requires third argument $alg (see #377)

Using Firebase\JWT\Key

Using the Key object in JWT::decode

As a security fix, to avoid key type confusion (see #351), use of Firebase\JWT\Key is now required when decoding:

use Firebase\JWT\JWT;

// previous (v5.5.1 and below)
$decoded = JWT::decode($jwt, $publicKey, 'RS256');

// new (v6.0.0)
use Firebase\JWT\Key;
$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));

And when you have more than one key, the second argument can be an array of Key objects:

use Firebase\JWT\JWT;

// previous (v5.5.1 and below)
$decoded = JWT::decode($jwt, [$publicKey1, $publicKey2], 'RS256');

// new (v6.0.0)
use Firebase\JWT\Key;
$decoded = JWT::decode($jwt, [
    'kid1' => new Key($publicKey1, 'RS256'),
    'kid2' => new Key($publicKey2, 'RS256')
]);  

Note: When providing multiple keys, you must provide the matching $kid as the fourth parameter
to the JWT::encode function

Using the Key object in JWK::parseKey and JWK::parseKeySet

Calls to JWK::parseKey and JWK::parseKeySet now return a Key object and an array
of Key objects respectively.

use Firebase\JWT\JWK;

// previous (v5.5.1 and below)
$key = JWK::parseKey($jwk); // $key is a resource
$keys = JWK::parseKeySet($jwks); // $keys is an associative array key ID to resources

// new (v6.0.0)
$key = JWK::parseKey($jwk); // $key is a Key object
$keys = JWK::parseKeySet($jwks); // $keys is an associative array of key ID to Key objects

If the keys in your JWKS do not contain the "alg", you need to set it manually to the expected algorithm, for it to be able to parse successfully:

// new (v6.0.0) for JWKS which do not contain "alg"
foreach ($jwks as $k => $jwks) {
    $jwks[$k]['alg'] = 'RS256'; // the expected alg of your JWKS
}
$keys = JWK::parseKeySet($jwks); // $keys is an associative array of key ID to Key objects