public static function JWT::decode in Auth0 Single Sign On 8.2
Decodes a JWT string into a PHP object.
@uses jsonDecode @uses urlsafeB64Decode
Parameters
string $jwt The JWT:
string|array|resource $key The key, or map of keys.: If the algorithm used is asymmetric, this is the public key
array $allowed_algs List of supported verification algorithms: Supported algorithms are 'ES256', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'
Return value
object The JWT's payload as a PHP object
Throws
UnexpectedValueException Provided JWT was invalid
SignatureInvalidException Provided JWT was invalid because the signature verification failed
BeforeValidException Provided JWT is trying to be used before it's eligible as defined by 'nbf'
BeforeValidException Provided JWT is trying to be used before it's been created as defined by 'iat'
ExpiredException Provided JWT has since expired, as defined by the 'exp' claim
1 call to JWT::decode()
- JWTVerifier::decodeToken in vendor/
auth0/ auth0-php/ src/ JWTVerifier.php - Wrapper for JWT::decode().
File
- vendor/
firebase/ php-jwt/ src/ JWT.php, line 74
Class
- JWT
- JSON Web Token implementation, based on this spec: https://tools.ietf.org/html/rfc7519
Namespace
Firebase\JWTCode
public static function decode($jwt, $key, array $allowed_algs = array()) {
$timestamp = \is_null(static::$timestamp) ? \time() : static::$timestamp;
if (empty($key)) {
throw new InvalidArgumentException('Key may not be empty');
}
$tks = \explode('.', $jwt);
if (\count($tks) != 3) {
throw new UnexpectedValueException('Wrong number of segments');
}
list($headb64, $bodyb64, $cryptob64) = $tks;
if (null === ($header = static::jsonDecode(static::urlsafeB64Decode($headb64)))) {
throw new UnexpectedValueException('Invalid header encoding');
}
if (null === ($payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64)))) {
throw new UnexpectedValueException('Invalid claims encoding');
}
if (false === ($sig = static::urlsafeB64Decode($cryptob64))) {
throw new UnexpectedValueException('Invalid signature encoding');
}
if (empty($header->alg)) {
throw new UnexpectedValueException('Empty algorithm');
}
if (empty(static::$supported_algs[$header->alg])) {
throw new UnexpectedValueException('Algorithm not supported');
}
if (!\in_array($header->alg, $allowed_algs)) {
throw new UnexpectedValueException('Algorithm not allowed');
}
if ($header->alg === 'ES256') {
// OpenSSL expects an ASN.1 DER sequence for ES256 signatures
$sig = self::signatureToDER($sig);
}
if (\is_array($key) || $key instanceof \ArrayAccess) {
if (isset($header->kid)) {
if (!isset($key[$header->kid])) {
throw new UnexpectedValueException('"kid" invalid, unable to lookup correct key');
}
$key = $key[$header->kid];
}
else {
throw new UnexpectedValueException('"kid" empty, unable to lookup correct key');
}
}
// Check the signature
if (!static::verify("{$headb64}.{$bodyb64}", $sig, $key, $header->alg)) {
throw new SignatureInvalidException('Signature verification failed');
}
// Check the nbf if it is defined. This is the time that the
// token can actually be used. If it's not yet that time, abort.
if (isset($payload->nbf) && $payload->nbf > $timestamp + static::$leeway) {
throw new BeforeValidException('Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->nbf));
}
// Check that this token has been created before 'now'. This prevents
// using tokens that have been created for later use (and haven't
// correctly used the nbf claim).
if (isset($payload->iat) && $payload->iat > $timestamp + static::$leeway) {
throw new BeforeValidException('Cannot handle token prior to ' . \date(DateTime::ISO8601, $payload->iat));
}
// Check if this token has expired.
if (isset($payload->exp) && $timestamp - static::$leeway >= $payload->exp) {
throw new ExpiredException('Expired token');
}
return $payload;
}