You can use it for your custom auth guard in your Laravel application. I added the following config in config/services.php. $payload = (new FirebaseToken($token))->verify( Throw new UnexpectedValueException('Payload subject is empty.') ĭone! Finally, we can use the FirebaseToken class to decode and verify Firebase JWT. `sub` corresponds to the `uid` of the Firebase user. Throw new UnexpectedValueException("Invalid audience: ") Private function validatePayload(object $payload, string $projectId): void JWT::decode() verifies most of the attributes (see here for details), but we need to verify aud, iss, and sub manually like below. We need to verify the header and payload following Firebase's official guide. * The list of allowed signing algorithms used in the JWT. The third argument is an array of signing algorithms used in the JWT. $payload = JWT::decode($this->token, $keys, self::ALLOWED_ALGOS) Now, let's decode and verify the JWT calling the JWT::decode() method. $maxAge = Str::of($cacheControl)->match('/max-age=(\d+)/') Ĭache::put(self::CACHE_KEY, $publicKeys, now()->addSeconds($maxAge)) $cacheControl = $response->header('Cache-Control') Throw new \Exception('Failed to fetch JWT public keys.') $response = Http::get(self::PUBLIC_KEY_URL) For the cache TTL, use the max-age in the Cache-Control header of the response. public keys) to avoid downloading it every time. As you can see, it caches the response (i.e. Grab the public key from here and pass it to JWT::decode() method. $this->validatePayload($payload, $projectId) Public function verify(string $projectId): object * Verify the ID token and return the decoded payload. It takes public keys as the second argument which will be used for verifying token was signed by the right private key. In the verify() method, we will use the JWT::decode() that firebase/php-jwt provides. Public function _construct(string $token) The constructor takes the $token which is the actual JWT. Install firebase/php-jwt packageįirst, let's install firebase/php-jwt which we will use for decoding and verifying JWT. Let me explain how it works step by step. I created the FirebaseToken class with verify() method that verifies JWT and returns the docoded payload which contains the authenticated user data. This post is focused on decoding and verifying JWT on the backend. I'm not going to cover how to retrieve the token on the client side since it's very straightforward.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |