UPGRADE-2.0.md

UPGRADE FROM 1.x to 2.0

Configuration

• The JWT authentication system has been deprecated in favor of a Guard authenticator
  called JWTTokenAuthenticator.
  By the way, the security configuration has been simplified. Most of the options that was
  set from the JWT-secured firewall configuration have been moved to the bundle configuration,
  keeping the same names and default values.

  Removed options

  • create_entry_point: The new authenticator being an entry point after all, this option doesn't bring any value anymore.
    If a firewall allows anonymous, the entry point will not be called at all, letting the request continue.
    If it doesn't, the entry point will dispatch a on_jwt_not_found event that can be subscribed to customize the default failure response that will be returned by the entry point.
  • throw_exceptions: This option doesn't make sense anymore as the exceptions thrown during the authentication process are needed, involving call of the good method in the good time, dispatching the good events, so a custom response can be easily set, as its content no more depends on the exception thrown.
  • authentication_provider and authentication_listener: It's now part of the authenticator role, simplifiying a lot the corresponding code that can now be found/overriden from one place.

  Before

  # app/config/security.yml
  firewalls:
      api:
          lexik_jwt:
              authorization_header: ~
              cookie: ~
              query_parameter: ~
              throw_exceptions: false
              create_entry_point: true
              authentication_provider: lexik_jwt_authentication.security.authentication.provider
              authentication_listener: lexik_jwt_authentication.security.authentication.listener

  After

  # app/config/security.yml
  firewalls:
      api:
          guard:
              authenticators:
                  - lexik_jwt_authentication.jwt_token_authenticator
  
  # app/config/config.yml
  lexik_jwt_authentication:
      # ...
      token_extractors:
          authorization_header: ~
          cookie: ~
          query_parameter: ~

• The token_ttl option must be a numeric value, having an infinite token lifetime is no more supported by the built-in encoders (the exp claim is automatically set), see issue #250 for more details.

Events

• The ability of retrieving Request instances from Event classes has been removed, as the current Request is no more injected into when they are dispatched.
  Being able to access them was mainly useful for doing stuff depending on informations retrieved from.
  Fortunately, you can reproduce the same behaviour in a more efficient way:

  Before

  services:
      jwt_event_listener:
          class: AppBundle\EventListener\JWTCreatedListener
          tags:
              - { name: kernel.event_listener, event: lexik_jwt_authentication.on_jwt_created, method: onJWTCreated }

  use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTCreatedEvent;
  
  class JWTCreatedListener
  {
      public function onJWTCreated(JWTCreatedEvent $event)
      {
          $request = $event->getRequest();
      }
  }

  After

  services:
      jwt_event_listener:
          class: AppBundle\EventListener\JWTCreatedListener
          arguments: [ '@request_stack' ]
          tags:
              - { name: kernel.event_listener, event: lexik_jwt_authentication.on_jwt_created, method: onJWTCreated }

  use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTCreatedEvent;
  use Symfony\Component\HttpFoundation\RequestStack;
  
  class JWTCreatedListener
  {
      private $requestStack;
      
      public function __construct(RequestStack $requestStack)
      {
          $this->requestStack = $requestStack;
      }
      
      public function onJWTCreated(JWTCreatedEvent $event)
      {
          $request = $this->requestStack->getCurrentRequest();
      }
  }

• Introduced JWTExpiredEvent In 1.x, trying to authenticate an user with an expired token was causing a JWTInvalidEvent to be dispatched, as for several other mixed reasons. Now in 2.x, this failure reason has its own event on which you can listen on.

Encoder

• The service lexik_jwt_authentication.jwt_encoder has been removed in favor
  of lexik_jwt_authentication.encoder.default that supports OpenSSL and
  phpseclib crypto engines.

• The class Lexik\Bundle\JWTAuthenticationBundle\Encoder\JWTEncoder has been
  removed in favor of Lexik\Bundle\JWTAuthenticationBundle\Encoder\DefaultEncoder.

  It was used by the lexik_jwt_authentication.jwt_encoder service that has been removed.

• The Lexik\Bundle\JWTAuthenticationBundle\Encoder\JWTEncoderInterface has been changed,
  the encode and decode methods now throw exceptions rather than returning false
  in case of error.

• The Lexik\Bundle\JWTAuthenticationBundle\Encoder\DefaultEncoder default encoder used via service "lexik_jwt_authentication.encoder.default" now checks for a iat claim existance and validity when decoding a token using DefaultEncoder::decode().

KeyLoader

• The lexik_jwt_authentication.openssl_key_loader has been removed
  in favor of lexik_jwt_authentication.key_loader.

• The class Lexik\Bundle\JWTAuthenticationBundle\Services\OpenSSLKeyLoader has been
  removed in favor of Lexik\Bundle\JWTAuthenticationBundle\Services\KeyLoader\OpenSSLKeyLoader.

  It was used by the lexik_jwt_authentication.openssl_key_loader that has been removed.

Command

• The lexik:jwt:check-open-ssl command has been renamed to lexik:jwt:check-config
  as the bundle now supports several crypto engines.

Security

• The JWTManagerInterface has been deprecated in favor of a new JWTTokenManagerInterface implementing two new methods: setUserIdentityField and getUserIdentityField. These methods were already implemented by the JWTManager class in 1.x but not guaranteed by the old interface.

• The JWTManager is no more responsible of setting the token exp claim, meaning that its constructor takes one less argument (the last one). This logic has been moved to the Encoder that is responsible of creating signed tokens and verifying/validating existing ones.