forked from lexik/LexikJWTAuthenticationBundle
-
Notifications
You must be signed in to change notification settings - Fork 1
/
1-configuration-reference.rst
244 lines (188 loc) · 7.19 KB
/
1-configuration-reference.rst
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
Configuration reference
=======================
Bundle configuration
--------------------
Minimal configuration
~~~~~~~~~~~~~~~~~~~~~
Using RSA/ECDSA
~~~~~~~~~~~~~~~
.. code-block:: yaml
# config/packages/lexik_jwt_authentication.yaml
#...
lexik_jwt_authentication:
secret_key: '%kernel.project_dir%/config/jwt/private.pem' # path to the secret key OR raw secret key, required for creating tokens
public_key: '%kernel.project_dir%/config/jwt/public.pem' # path to the public key OR raw public key, required for verifying tokens
pass_phrase: 'yourpassphrase' # required for creating tokens
# Additional public keys are used to verify signature of incoming tokens, if the key provided in "public_key" configuration node doesn't verify the token
additional_public_keys:
- '%kernel.project_dir%/config/jwt/public1.pem'
- '%kernel.project_dir%/config/jwt/public2.pem'
- '%kernel.project_dir%/config/jwt/public3.pem'
Using HMAC
~~~~~~~~~~
.. code-block:: yaml
# config/packages/lexik_jwt_authentication.yaml
#...
lexik_jwt_authentication:
secret_key: yoursecret
Full default configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~
.. code-block:: yaml
# config/packages/lexik_jwt_authentication.yaml
# ...
lexik_jwt_authentication:
secret_key: ~
public_key: ~
pass_phrase: ~
token_ttl: 3600 # token TTL in seconds, defaults to 1 hour
user_identity_field: username # key under which the user identity will be stored in the token payload
clock_skew: 0
allow_no_expiration: false # set to true to allow tokens without exp claim
# token encoding/decoding settings
encoder:
# token encoder/decoder service - default implementation based on the lcobucci/jwt library
service: lexik_jwt_authentication.encoder.lcobucci
# encryption algorithm used by the encoder service
signature_algorithm: RS256
# token extraction settings
token_extractors:
# look for a token as Authorization Header
authorization_header:
enabled: true
prefix: Bearer
name: Authorization
# check token in a cookie
cookie:
enabled: false
name: BEARER
# check token in query string parameter
query_parameter:
enabled: false
name: bearer
# check token in a cookie
split_cookie:
enabled: false
cookies:
- jwt_hp
- jwt_s
# remove the token from the response body when using cookies
remove_token_from_body_when_cookies_used: true
Encoder configuration
~~~~~~~~~~~~~~~~~~~~~
service
.......
Defaults to ``lexik_jwt_authentication.encoder.lcobucci`` which is based
on the `Lcobucci/JWT <https://github.com/lcobucci/jwt>`__ library.
For an advanced token encoding with higher encryption support, please
see the
`Spomky-Labs/lexik-jose-bridge <https://github.com/Spomky-Labs/lexik-jose-bridge>`__
which is based on the great
`web-token/jwt-framework <https://github.com/web-token/jwt-framework>`__
library.
To create your own encoder service, see the
:doc:`JWT encoder service customization chapter </5-encoder-service>`.
signature_algorithm
...................
One of the algorithms supported by the default encoder for the
configured `crypto engine <#crypto_engine>`__.
- HS256, HS384, HS512 (HMAC)
- RS256, RS384, RS512 (RSA)
- ES256, ES384, ES512 (ECDSA)
Automatically generating cookies
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You are now able to automatically generate secure and httpOnly cookies
when the cookie token extractor is enabled
`#753 <https://github.com/lexik/LexikJWTAuthenticationBundle/pull/753>`__.
.. code-block:: yaml
token_extractors:
cookie:
enabled: true
name: BEARER
# ...
set_cookies:
BEARER: ~
# Full config with defaults:
# BEARER:
# lifetime: null (defaults to token ttl)
# samesite: lax
# path: /
# domain: null (null means automatically set by symfony)
# secure: true (default to true)
# httpOnly: true
Automatically generating split cookies
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You are also able to automatically generate split cookies. Benefits of
this approach are in
`this post <https://medium.com/lightrail/getting-token-authentication-right-in-a-stateless-single-page-application-57d0c6474e3>`__.
Set the signature cookie (jwt_s) lifetime to 0 to create session
cookies.
Keep in mind, that SameSite attribute is **not supported** in
`some browsers <https://caniuse.com/#feat=same-site-cookie-attribute>`__
.. code-block:: yaml
token_extractors:
split_cookie:
enabled: true
cookies:
- jwt_hp
- jwt_s
set_cookies:
jwt_hp:
lifetime: null
samesite: strict
path: /
domain: null
httpOnly: false
split:
- header
- payload
jwt_s:
lifetime: 0
samesite: strict
path: /
domain: null
httpOnly: true
split:
- signature
Keep the token in the body when using cookies
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When using cookies the response defaults to an empty body and result
code 204. It is possible to modify this behaviour.
Keep in mind, this invalidates a requirement from the
`previously mentioned post <https://medium.com/lightrail/getting-token-authentication-right-in-a-stateless-single-page-application-57d0c6474e3>`__,
namely "JavaScript/front-end should never have access to the full JWT".
.. code-block:: yaml
remove_token_from_body_when_cookies_used: false
Security configuration
----------------------
For Symfony 5.3 and higher, use the ``jwt`` authenticator:
.. code-block:: yaml
# config/packages/security.yaml
security:
enable_authenticator_manager: true
firewalls:
api:
# ...
jwt: ~ # enables the jwt authenticator
# Full config with defaults:
# jwt:
# provider: null (you can put provider here or just ignore this config)
# authenticator: lexik_jwt_authentication.security.jwt_authenticator (default jwt authenticator)
# ...
For Symfony versions prior to 5.3, use the Guard authenticator:
.. code-block:: yaml
firewalls:
# ...
api:
# ...
guard:
authenticators:
- 'lexik_jwt_authentication.jwt_token_authenticator'
Authenticator
.............
For more details about using custom authenticator in your application,
see :doc:`Extending JWT Authenticator </6-extending-jwt-authenticator>`.
Database-less User Provider
...........................
For a database-less authentication (i.e. trusting into the JWT data
instead of reloading the user from the database), see
:doc:`"A database less user provider" </8-jwt-user-provider>`.