JWT - JSON Web Tokens
In this project tutorial we will learn to generate JWT or JSON Web Tokens for users using firebase/php-jwt package.
In the introduction tutorial of this project we went through the setup process. Feel free to check that out.
A JSON Web Token consists of three parts - Header, Payload and Signature.
For this project the header is set to the following.
header
{ "typ": "JWT", "alg": "HS256" }
The payload will look something like the following.
payload
{ "userid": "u1", "iat": 1523798197, "exp": 1523798257 }
Where, userid stores the userid of the user that logs in.
userid
iat stands for issued at and it is the time at which the JWT was issued.
iat
exp stands for expiration time and it is the time after which the JWT will no longer be valid.
exp
For this project I am using this-is-the-secret as the secret for the JWT signature.
this-is-the-secret
secret
To keep things simple I am saving the user details in an array. You can save the details in a database table and retrieve it if you want.
Checkout my jwt-codeigniter-project if you want database involvement and all the other cool stuffs.
Alright, back to this project.
In the following array we have two user accounts.
/** * FOR DEMO PURPOSE * I have created two accounts * Password of the accounts: root1234 */ $userAccountArr = array( array( "userid" => "u1", "email" => "yusufshakeel@example.com", "password" => "$2y$12$3PfY4lNCR62/HH9aNGZFcebloX1gACQIbWeHfTwb8hKhMXfymiNLq", "firstname" => "Yusuf", "lastname" => "Shakeel" ), array( "userid" => "u2", "email" => "user@example.com", "password" => "$2y$12$3PfY4lNCR62/HH9aNGZFcebloX1gACQIbWeHfTwb8hKhMXfymiNLq", "firstname" => "Example", "lastname" => "User" ) );
You will find the complete code of this project in my GitHub repository jwt-php-project.
User will enter one of the registered email address and password to login.
If the credentials match we will use the following code to generate JSON Web Token.
$issuedAt = time(); $expirationTime = $issuedAt + 60; // jwt valid for 60 seconds from the issued time $payload = array( 'userid' => $userid, 'iat' => $issuedAt, 'exp' => $expirationTime ); $key = JWT_SECRET; $alg = 'HS256'; $jwt = JWT::encode($payload, $key, $alg);
Where, $userid variable holds the user ID of the user who logged in.
$userid
JWT_SECRET is a constant and it holds the value this-is-the-secret.
JWT_SECRET
We are using HMAC SHA256 hashing algorithm for the signature part of the JWT.
HMAC SHA256
We are using the JWT::encode() method and passing the three arguments $payload, $key and $alg to generate the JWT.
JWT::encode()
$payload
$key
$alg
In the above code we are setting the expiration time of JWT to 60 seconds from the issued time. Feel free to change that to whatever you like.
For this we will use the JWT::decode() method.
JWT::decode()
JWT::decode($jwt, $key, array('HS256'));
In the above code $jwt holds the JSON Web Token value.
$jwt
$key holds the secret key. And the hashing algorithm used is HMAC SHA256.
For this demo project I have created two APIs. The first one is to validate the user login credential and the second one is to fetch the user detail using the JWT issued for the logged in user.
For this API we are passing the registered email address and password.
{ "email": "yusufshakeel@example.com", "password": "root1234" }
The API url is http://localhost/jwt-php-project/api/user and the method is POST.
http://localhost/jwt-php-project/api/user
POST
Your API url may change depending on your development server settings.
On success we will get back the following response from the localhost server.
{ "code": 200, "status": "success", "message": "Valid login credentials.", "userid": "u1", "jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyaWQiOiJ1MSIsImlhdCI6MTUyMzgwMDk0NSwiZXhwIjoxNTIzODAxMDA1fQ.zz4bkTjU5K_RukfHkKjD2t-HvR73RlAsVoPShEW3fN8" }
For this API we are passing the JWT value in the URL.
Sample API with the jwt parameter will look like the following.
jwt
http://localhost/jwt-php-project/api/user?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyaWQiOiJ1MSIsImlhdCI6MTUyMzgwMDk0NSwiZXhwIjoxNTIzODAxMDA1fQ.zz4bkTjU5K_RukfHkKjD2t-HvR73RlAsVoPShEW3fN8
On success, we will get the following response from the localhost server.
{ "code": 200, "status": "success", "data": { "userid": "u1", "email": "yusufshakeel@example.com", "firstname": "Yusuf", "lastname": "Shakeel" }, "jwt_payload": { "userid": "u1", "iat": 1523800945, "exp": 1523801005 } }
You will find the complete code here.
In the next tutorial we will write some JavaScript to send and receive data from the server via the APIs.