This bundle requires Symfony 2.3+ (and the OpenSSL library if you intend to use the default provided encoder).
Protip: Though the bundle doesn't enforce you to do so, it is highly recommended to use HTTPS.
Require lexik/jwt-authentication-bundle
into your composer.json file:
{
"require": {
"lexik/jwt-authentication-bundle": "@stable"
}
}Protip: you should browse the
lexik/jwt-authentication-bundle
page to choose a stable version to use, avoid the @stable meta constraint.
Register the bundle in app/AppKernel.php:
public function registerBundles()
{
return array(
// ...
new Lexik\Bundle\JWTAuthenticationBundle\LexikJWTAuthenticationBundle(),
);
}Generate the SSH keys :
$ openssl genrsa -out app/var/jwt/private.pem -aes256 4096
$ openssl rsa -pubout -in app/var/jwt/private.pem -out app/var/jwt/public.pemConfigure the SSH keys path in your config.yml :
lexik_jwt_authentication:
private_key_path: %kernel.root_dir%/var/jwt/private.pem # ssh private key path
public_key_path: %kernel.root_dir%/var/jwt/public.pem # ssh public key path
pass_phrase: '' # ssh key pass phrase
token_ttl: 86400 # token ttl - defaults to 86400Confgure your security.yml :
firewalls:
login:
pattern: ^/api/login
stateless: true
anonymous: true
form_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api:
pattern: ^/api
stateless: true
lexik_jwt: ~
access_control:
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }As stated in this link and this one, Apache server will strip any Authorization header not in a valid HTTP BASIC AUTH format.
If you intend to use the authorization header mode of this bundle (and you should), please add those rules to your VirtualHost configuration :
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]The first step is to authenticate the user using its credentials. A classical form_login on an anonymously accessible firewall will do perfect.
Just set the provided lexik_jwt_authentication.handler.authentication_success service as success handler to
generate the token and send it as part of a json response body.
Store it (client side), the JWT is reusable until its ttl has expired (86400 seconds by default).
Simply pass the JWT on each request to the protected firewall, either as an authorization header or as a query parameter.
By default only the authorization header mode is enabled : Authorization: Bearer {token}
See configuration reference document to enable query string parameter mode or change the header value prefix.
See Functionally testing a JWT protected api document or the sandbox application for a fully working example.
Each request after token expiration will result in a 401 response. Redo the authentication process to obtain a new token.
This is more of a Symfony2 related topic, but see Working with CORS requests document to get a quick explanation on handling CORS requests.
Using form_login security factory is very straightforward but it involves cookies exchange, even if the stateless parameter is set to true.
This may not be a problem depending on the system that makes calls to your API (like a typical SPA). But if it is, take a look at the GfreeauGetJWTBundle, which provides a stateless replacement for form_login.
The following documents are available: