kreait/firebase-tokens

Release 4.3.0

A library to work with Firebase tokens

Homepage Repository Packagist PHP

Keywords
Authentication, google, auth, token, firebase, firebase-tokens, jwt, php, php-library, php7
License
MIT

Documentation

Firebase Tokens

A library to work with Google Firebase tokens. You can use it to create custom tokens and verify ID Tokens.

Achieve more with the Firebase Admin SDK for PHP (which uses this library).

Current version Supported PHP version Monthly Downloads Total Downloads Tests Sponsor

The future of the Firebase Admin PHP SDK

Please read about the future of the Firebase Admin PHP SDK on the SDK's GitHub Repository.

Installation

composer require kreait/firebase-tokens

Simple usage

Create a custom token

More information on what a custom token is and how it can be used can be found in Google's official documentation.

<?php

use Kreait\Firebase\JWT\CustomTokenGenerator;

$clientEmail = '...';
$privateKey = '...';

$generator = CustomTokenGenerator::withClientEmailAndPrivateKey($clientEmail, $privateKey);
$token = $generator->createCustomToken('uid', ['first_claim' => 'first_value' /* ... */]);

echo $token;
// Output: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.e...

Verify an ID token

The ID token verification methods included in the Firebase Admin SDKs are meant to verify ID tokens that come from the client SDKs, not the custom tokens that you create with the Admin SDKs. See Auth tokens for more information.

<?php

use Kreait\Firebase\JWT\Error\IdTokenVerificationFailed;
use Kreait\Firebase\JWT\IdTokenVerifier;

$projectId = '...';
$idToken = 'eyJhb...'; // An ID token given to your backend by a Client application

$verifier = IdTokenVerifier::createWithProjectId($projectId);

try {
    $token = $verifier->verifyIdToken($idToken);
} catch (IdTokenVerificationFailed $e) {
    echo $e->getMessage();
    // Example Output:
    // The value 'eyJhb...' is not a verified ID token:
    // - The token is expired.
    exit;
}

try {
    $token = $verifier->verifyIdTokenWithLeeway($idToken, $leewayInSeconds = 10000000);
} catch (IdTokenVerificationFailed $e) {
    print $e->getMessage();
    exit;
}

Verify a Session Cookie

Session cookie verification is similar to ID Token verification.

See Manage Session Cookies for more information.

<?php

use Kreait\Firebase\JWT\Error\SessionCookieVerificationFailed;
use Kreait\Firebase\JWT\SessionCookieVerifier;

$projectId = '...';
$sessionCookie = 'eyJhb...'; // A session cookie given to your backend by a Client application

$verifier = SessionCookieVerifier::createWithProjectId($projectId);

try {
    $token = $verifier->verifySessionCookie($sessionCookie);
} catch (SessionCookieVerificationFailed $e) {
    echo $e->getMessage();
    // Example Output:
    // The value 'eyJhb...' is not a verified ID token:
    // - The token is expired.
    exit;
}

try {
    $token = $verifier->verifySessionCookieWithLeeway($sessionCookie, $leewayInSeconds = 10000000);
} catch (SessionCookieVerificationFailed $e) {
    print $e->getMessage();
    exit;
}

Tokens

Tokens returned from the Generator and Verifier are instances of \Kreait\Firebase\JWT\Contract\Token and represent a JWT. The displayed outputs are examples and vary depending on the information associated with the given user in your project's auth database.

According to the JWT specification, you can expect the following payload fields to be always available: iss, aud, auth_time, sub, iat, exp. Other fields depend on the authentication method of the given account and the information stored in your project's Auth database.

$token = $verifier->verifyIdToken('eyJhb...'); // An ID token given to your backend by a Client application

echo json_encode($token->headers(), JSON_PRETTY_PRINT);
// {
//     "alg": "RS256",
//     "kid": "e5a91d9f39fa4de254a1e89df00f05b7e248b985",
//     "typ": "JWT"
// }                                                   

echo json_encode($token->payload(), JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
// {
//     "name": "Jane Doe",
//     "picture": "https://domain.tld/picture.jpg",
//     "iss": "https://securetoken.google.com/your-project-id",
//     "aud": "your-project-id",
//     "auth_time": 1580063945,
//     "user_id": "W0IturDwy4TYTmX6ilkd2ZbAXRp2",
//     "sub": "W0IturDwy4TYTmX6ilkd2ZbAXRp2",
//     "iat": 1580063945,
//     "exp": 1580067545,
//     "email": "jane@doe.tld",
//     "email_verified": true,
//     "phone_number": "+1234567890",
//     "firebase": {
//         "identities": {
//             "phone": [
//                 "+1234567890"
//             ],
//             "email": [
//                 "jane@doe.tld"
//             ]
//         },
//         "sign_in_provider": "custom"
//     }
// }

echo $token->toString();
// eyJhb...

$tokenString = (string) $token; // string
// eyJhb...

Tenant Awareness

You can create custom tokens that are scoped to a given tenant:

<?php

use Kreait\Firebase\JWT\CustomTokenGenerator;

$generator = CustomTokenGenerator::withClientEmailAndPrivateKey('...', '...');

$tenantAwareGenerator = $generator->withTenantId('my-tenant-id');

Similarly, you can verify that ID tokens were issued in the scope of a given tenant:

<?php

use Kreait\Firebase\JWT\IdTokenVerifier;

$verifier = IdTokenVerifier::createWithProjectId('my-project-id');

$tenantAwareVerifier = $verifier->withExpectedTenantId('my-tenant-id');

Session cookies currently don't support tenants.

Advanced usage

Cache results from the Google Secure Token Store

In order to verify ID tokens, the verifier makes a call to fetch Firebase's currently available public keys. The keys are cached in memory by default.

If you want to cache the public keys more effectively, you can initialize the verifier with an implementation of psr/simple-cache or psr/cache to reduce the amount of HTTP requests to Google's servers.

Here's an example using the Symfony Cache Component:

use Kreait\Firebase\JWT\IdTokenVerifier;
use Symfony\Component\Cache\Adapter\FilesystemAdapter;

$cache = new FilesystemAdapter();

$verifier = IdTokenVerifier::createWithProjectIdAndCache($projectId, $cache);

Supported Versions

Only the latest version is actively supported.

Earlier versions will receive security fixes as long as their lowest PHP requirement receives security fixes. For example, when a version supports PHP 7.4 and PHP 8.0, security support will end when security support for PHP 7.4 ends.

Version Initial Release Supported PHP Versions Status
5.x 25 Nov 2023 ~8.2.0, ~8.3.0 Active
4.x 26 Nov 2022 ~8.1.0, ~8.2.0 Security Support
3.x 25 Apr 2022 ^7.4, ^8.0 End of life
2.x 03 Jan 2022 ^7.4, ^8.0 End of life
1.x 06 Feb 2017 >=5.5 End of life

License

The MIT License (MIT). Please see License File for more information.

The maintainers of this project get paid by Tidelift to make sure it meets pre-defined standards around security, maintenance and licensing.

Want to learn more? Chat with an expert at Tidelift.

Stats

Dependencies
8
Dependent packages
10
Dependent repositories
96
Total releases
47
Latest release
First release
Stars
204
Forks
32
Watchers
5
Contributors
11
Repository size
466 KB
SourceRank
15

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

4.3.0
5.0.1
5.0.0
4.2.0
4.1.0
4.0.0
3.0.3
1.17.0
1.16.3
2.3.1
See all 47 releases

Contributors

Jérôme Gamez dependabot[bot] github-actions[bot] Suhwan Cha Ahmad Malik Tim Zandbergen Daniel Gimenes bereczi Witold Wasiczko Luiz Henrique Gomes Palácio


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2023-12-02 00:10:53 UTC

Login to resync this project