What PHP developers need to know about JSON Web Tokens

1. @mooreds
JWTs:
What PHP developers
need to know
Dan Moore
Longhorn PHP
Nov 2023
1

2. @mooreds
2

3. @mooreds
About FusionAuth
● FusionAuth is the authentication and authorization
platform built for developers, by developers.
● FusionAuth solves the problem of building essential
user security without adding risk or distracting from
the primary application.
3

4. @mooreds
About Me
4

5. @mooreds
About Me
● Who cares
5

6. @mooreds
What I’ll Cover
● JWTs in brief
6

7. @mooreds
What I’ll Cover
● JWTs in brief
● The problem they solve
7

8. @mooreds
What I’ll Cover
● JWTs in brief
● The problem they solve
● Validation
8

9. @mooreds
What I’ll Cover
● JWTs in brief
● The problem they solve
● Validation
● Bearer tokens
9

10. @mooreds
What I’ll Cover
● JWTs in brief
● The problem they solve
● Validation
● Bearer tokens
● Footguns/common issues
10

11. @mooreds
What I’ll Cover
● JWTs in brief
● The problem they solve
● Validation
● Bearer tokens
● Footguns/common issues
● Refresh tokens
11

12. @mooreds
What I’ll Cover
● JWTs in brief
● The problem they solve
● Validation
● Bearer tokens
● Footguns/common issues
● Refresh tokens
● JWT revocation
12

13. @mooreds
JWTs
…Briefly
13

14. @mooreds
JWTs Briefly
● JSON Web Token
14

15. @mooreds
JWTs Briefly
● JSON Web Token
● Pronounced ‘jot’
15

16. @mooreds
JWTs Briefly
● JSON Web Token
● Pronounced ‘jot’
● Standard - RFC 7519
16

17. @mooreds
JWTs Briefly
● JSON Web Token
● Pronounced ‘jot’
● Standard - RFC 7519
● Signed or encrypted
17

18. @mooreds
JWTs Briefly
● JSON Web Token
● Pronounced ‘jot’
● Standard - RFC 7519
● Signed or encrypted
● Stateless, portable tokens of identity
18

19. @mooreds
JWTs Briefly
● JSON Web Token
● Pronounced ‘jot’
● Standard - RFC 7519
● Signed or encrypted
● Stateless, portable tokens of identity
● Great for APIs and microservices
19

20. @mooreds
JWTs Briefly
● JSON Web Token
● Pronounced ‘jot’
● Standard - RFC 7519
● Signed or encrypted
● Stateless, portable tokens of identity
● Great for APIs and microservices
● Produced by many Identity Providers
20

21. @mooreds
JWTs Briefly
● JSON Web Token
● Pronounced ‘jot’
● Standard - RFC 7519
● Signed or encrypted
● Stateless, portable tokens of identity
● Great for APIs and microservices
● Produced by many Identity Providers
● Widely supported
21

22. @mooreds
The Problem
22

23. @mooreds
23
User API
Todo API
users
todos

24. @mooreds
24
User API
users user_roles roles

25. @mooreds
25
Todo API
todos

26. @mooreds
26
CREATE TABLE todos (
id INT NOT NULL,
text TEXT NOT NULL,
status INT NOT NULL,
user_id CHAR(40) NOT NULL,
PRIMARY KEY (id)
);

27. @mooreds
27
User API
POST /login
???

28. @mooreds
Solutions
28

29. @mooreds
29
User API
POST /login
???

30. @mooreds
30
User API
POST /login
user
42
users

31. @mooreds
31
User API
POST /login
User as JSON
user
42
users

32. @mooreds
32
{
"user": {
"id": "42",
"name": "Dan Moore",
"email": "dan@fusionauth.io",
"roles": ["admin"]
}
}

33. @mooreds
33
user
42 Todo API
GET /todos?user_id=42
JSON todos

34. @mooreds
Good
Idea?
34

35. @mooreds
Danger Will Robinson!!
35

36. @mooreds
36
user
42 Todo API
GET /todos?user_id=1
JSON todos

37. @mooreds
A Different
Approach
37

38. @mooreds
38
User API
Todo API
users
todos
user
T

39. @mooreds
39
User API
Todo API
users
todos
user
user
T
T

40. @mooreds
40
User API
Todo API
users
todos
user
user
T
T
T

41. @mooreds
41
User API
Todo API
users
todos
user
user
T
T
T
GET /token/T User as JSON

42. @mooreds
42
User API
Todo API
users
todos
user
user
T
T
T
Todo data

43. @mooreds
Opaque Tokens
● There must be a User -> Token mapping
● In memory or in database
● Can be very chatty
● Couples the User API to EVERYTHING (almost)
● This is OAuth Introspection (RFC 7662)
43

44. @mooreds
JWTs To
The Rescue
44

45. @mooreds
45
User API
Todo API
users
todos
user
J
W
T

46. @mooreds
46
User API
Todo API
users
todos
user
user
J
W
T
J
W
T

47. @mooreds
47
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T

48. @mooreds
48
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T
Todo data

49. @mooreds
JWT Benefits
● Signed
○ Public/private key pair
○ Symmetric key
49

50. @mooreds
JWT Benefits
● Signed
○ Public/private key pair
○ Symmetric key
● Validated by Todo API without calling User API
50

51. @mooreds
JWT Benefits
● Signed
○ Public/private key pair
○ Symmetric key
● Validated by Todo API without calling User API
● Contains roles and other metadata
51

52. @mooreds
JWTs
Under the Microscope
52

53. @mooreds
53
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJmdXNpb25hdXRoLml
vIiwiZXhwIjoxNjE5NTU1MDE4LCJhdWQiOiIyMzhkNDc5My03MGRlLTQxODMtO
TcwNy00OGVkOGVjZDE5ZDkiLCJzdWIiOiIxOTAxNmI3My0zZmZhLTRiMjYtODB
kOC1hYTkyODc3Mzg2NzciLCJuYW1lIjoiRGFuIE1vb3JlIiwibWVtYmVyc2hpc
EV4cGlyZWQiOmZhbHNlLCJyb2xlcyI6WyJSRVRSSUVWRV9UT0RPUyIsIkFETUl
OIl19.cPL36Al_8eT7YQVowIOruitxXb0n8w4DKaWVthfEwfc

54. @mooreds
54
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
=
{
"alg": "HS256",
"typ": "JWT"
}

55. @mooreds
55
eyJpc3MiOiJmdXNpb25hdXRoLmlvIiwiZXhwIjoxNjE5NTU1MDE4LCJhdWQiOiIyMzhkNDc5My03MGRlLTQxODMtOTcwNy00OGVkOGVjZDE5ZDkiLCJzdWIiOiIxOTAxNmI3
My0zZmZhLTRiMjYtODBkOC1hYTkyODc3Mzg2NzciLCJuYW1lIjoiRGFuIE1vb3JlIiwibWVtYmVyc2hpcEV4cGlyZWQiOmZhbHNlLCJyb2xlcyI6WyJSRVRSSUVWRV9UT0RP
UyIsIkFETUlOIl19
=
{
"iss": "fusionauth.io",
"exp": 1619555018,
"aud": "238d4793-70de-4183-9707-48ed8ecd19d9",
"sub": "19016b73-3ffa-4b26-80d8-aa9287738677",
"name": "Dan Moore",
"roles": ["RETRIEVE_TODOS", "ADMIN"]
}

56. @mooreds
56
cPL36Al_8eT7YQVowIOruitxXb0n8w4DKaWVthfEwfc
=
Signature

57. @mooreds
Signature Generation
● Cryptographic operation(Header + Body)
57

58. @mooreds
Signature Generation
● Cryptographic operation(Header + Body)
● Operation varies by algorithm
58

59. @mooreds
JWT
Validation
59

60. @mooreds
60
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T

61. @mooreds
Validate The Signature
61

62. @mooreds
Validate The Signature
● Use a library
62

63. @mooreds
Validate The Signature
● Use a library
● If it doesn’t match, STOP
63

64. @mooreds
Validate The Claims
64

65. @mooreds
Validate The Claims
● Business logic
65

66. @mooreds
Validate The Claims
● Business logic
● You must write
66

67. @mooreds
67
{
"iss": "fusionauth.io",
"exp": 1619555018,
"aud": "238d4793-70de-4183-9707-48ed8ecd19d9",
"sub": "19016b73-3ffa-4b26-80d8-aa9287738677",
"name": "Dan Moore",
"roles": ["RETRIEVE_TODOS", "ADMIN"]
}

68. @mooreds
68
{
"iss": "fusionauth.io",
"exp": 1619555018,
"aud": "238d4793-70de-4183-9707-48ed8ecd19d9",
"sub": "19016b73-3ffa-4b26-80d8-aa9287738677",
"name": "Dan Moore",
"roles": ["RETRIEVE_TODOS", "ADMIN"]
}

69. @mooreds
69
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T

70. @mooreds
70
{
"iss": "fusionauth.io",
"exp": 1619555018,
"aud": "238d4793-70de-4183-9707-48ed8ecd19d9",
"sub": "19016b73-3ffa-4b26-80d8-aa9287738677",
"name": "Dan Moore",
"roles": ["RETRIEVE_TODOS", "ADMIN"]
}

71. @mooreds
71
{
"iss": "fusionauth.io",
"exp": 1619555018,
"aud": "238d4793-70de-4183-9707-48ed8ecd19d9",
"sub": "19016b73-3ffa-4b26-80d8-aa9287738677",
"name": "Dan Moore",
"roles": ["RETRIEVE_TODOS", "ADMIN"]
}

72. @mooreds
72
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T

73. @mooreds
73
User API
Todo API
users
todos
bad
user
J
W
T
J
W
T
Accounting
API
Accounting
API
Accounting
API
J
W
T

74. @mooreds
74
User API
Todo API
users
todos
bad
user
J
W
T
J
W
T
Accounting
API
Accounting
API
Accounting
API
J
W
T

75. @mooreds
Code
75

76. @mooreds
Bearer
Tokens
76

77. @mooreds
77
Todo API
todos
bad
J
W
T
J
W
T

78. @mooreds
Token Storage
● Prefer server side
○ Known as the BFF, or backend for front end, pattern
78

79. @mooreds
Token Storage
● Prefer server side
○ Known as the BFF, or backend for front end, pattern
● HttpOnly, secure cookie in browser
○ Watch out for XSS
79

80. @mooreds
Token Storage
● Prefer server side
○ Known as the BFF, or backend for front end, pattern
● HttpOnly, secure cookie in browser
○ Watch out for XSS
● Secure storage on mobile
80

81. @mooreds
Common
Issues
81

82. @mooreds
Incorrect Validation
● Use a library
○ There are lots out there
● Check your claims
○ Standard
○ Custom
82

83. @mooreds
Putting Secrets In a JWT
● Base64 encoded JSON
○ Integrity guaranteed
○ Not secrecy
● Can leak information
83

84. @mooreds
Using HMAC Without a Good Key
● Susceptible to brute force
○ https://github.com/brendan-rius/c-jwt-cracker
84

85. @mooreds
Using The “none” Algorithm
● No signature
85

86. @mooreds
Using The “none” Algorithm
● No signature == no integrity check
86

87. @mooreds
87
eyJhbGciOiJub25lIn0.eyJpc3MiOiJmdXNpb25hdXRoLmlvIi
wiZXhwIjoxNTg5MjI3NDgwLCJhdWQiOiIyMzhkNDc5My03MGR
lLTQxODMtOTcwNy00OGVkOGVjZDE5ZDkiLCJzdWIiOiIxOTAx
NmI3My0zZmZhLTRiMjYtODBkOC1hYTkyODc3Mzg2NzciLCJuY
W1lIjoiRGFuIE1vb3JlIiwicm9sZXMiOlsiUkVUUklFVkVfVE
9ET1MiXX0.

88. @mooreds
Using The “none” Algorithm
● Unsanitized credentials!
88

89. @mooreds
Asymmetric
Keypairs
89

90. @mooreds
90
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T
S
S

91. @mooreds
Asymmetric Keypairs Avoid This
● The private key signs the JWT
● The public key is used to verify it
91

92. @mooreds
Why does that matter?
● Scale
92

93. @mooreds
93
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T
Org ABC
Org DEF

94. @mooreds
Why does that matter?
● Scale
● Security
94

95. @mooreds
95
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T

96. @mooreds
96
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T

97. @mooreds
Why Not?
● Slower
97

98. @mooreds
Why Not?
● Slower
● More complex
98

99. @mooreds
Sharing Public Keys
99

100. @mooreds
100
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T
Needs the
Public Key

101. @mooreds
Sharing Public Keys
● Distribute the keys
101

102. @mooreds
102
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T
PK

103. @mooreds
Sharing Public Keys
● Distribute the keys
● JWKS, another standard (RFC 7517)
103

104. @mooreds
104
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T
GET /.well-known/jwks.json

105. @mooreds
105
{
"keys" : [
{
"alg" : "RS256",
"e" : "AQAB",
"kid" : "uk0PWf8KkTKiJqWwrNjn16QoKKI",
"kty" : "RSA",
"n" :
"2xzTUGNSpIeNcvICSlFlhver42dR9CWYePEoLk6ncuk1nKLzwOr-hy3W2rmkG-x_DaVMVBT5jimClL_k7Fu5xlscexpmNTo3lK_fqWv_qh
nOONSaX0ETqWSrS9MXWnJcPTZkA37ZAwhGKaz8zzSF3Jh_fULWnFHgJxCLBNYmopnvVAv_erJR0wjX9imMpMsBh3w8O6RyN8ghhlkJ0q4JK
yaauF-xk8nLwIAvdWiPWNpzJ57oXfHUXesbLCfLIuM3f_suh_RaZn7uC0jEO1uG23htOqMb1M0TW5uk8pAxdhVKYbKsPR8CMOUc1je8wDo2
w4y4gY_1koST3xnA6IRhBQ",
"use" : "sig",
"x5c" : [
"MIICuDCCAaCgAwIBAQIQMcWR+VPwTieC06b3Fn6XbzANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDEw1mdXNpb25hdXRoLmlvMB4XDTIxMD
UyNDE5NDU1OVoXDTMxMDUyNDE5NDU1OVowGDEWMBQGA1UEAxMNZnVzaW9uYXV0aC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCg
gEBANsc01BjUqSHjXLyAkpRZYb3q+NnUfQlmHjxKC5Op3LpNZyi88Dq/oct1tq5pBvsfw2lTFQU+Y4pgpS/5OxbucZbHHsaZjU6N5Sv36lr
/6oZzjjUml9BE6lkq0vTF1pyXD02ZAN+2QMIRims/M80hdyYf31C1pxR4CcQiwTWJqKZ71QL/3qyUdMI1/YpjKTLAYd8PDukcjfIIYZZCdK
uCSsmmrhfsZPJy8CAL3Voj1jacyee6F3x1F3rGywnyyLjN3/7Lof0WmZ+7gtIxDtbhtt4bTqjG9TNE1ubpPKQMXYVSmGyrD0fAjDlHNY3vM
A6NsOMuIGP9ZKEk98ZwOiEYQUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcj/NIIltfhyP9zsleVn7N/QRavfKA1SBTwtlPMVezuRIX+S3j
zxJb/ot47TBD5WFNY5y5AOkWHQFNkVtuPjUYmKTAqJd0+kVur77tLKzour6wjOp2QgKzG3IGxQnK903JkFlyWF4vSJuOpH8WymJ1jq1gD5z
Jjz2NXqch+gBIp5Kscr2tj2hg2BGmq5v7+5pz2jYHosarj4sJwGsLqk1j479wK1iaMjdBVCMuq/QS9yF0sG0STsjbceyGzFWbknmZdfNup6
C4a0m8paeb9mlgFfIx9qljuNInpc9QZWeRymNJ5spX0WYVRLu7ULrLDXr8xUupjCSMV95yI1XF6tMkw=="
],
"x5t" : "uk0PWf8KkTKiJqWwrNjn16QoKKI",
"x5t#S256" : "UW-4zdFS6YR9g4Vhl3T3xLwfQ_S1aLFh2x4VBvK1sbY"
}
]
}

106. @mooreds
106
{
"alg" : "RS256",
"kid" : "uk0PWf8KkTKiJqWwrNjn16QoKKI",
"x5c" : [
"MIICuDCCAaCgAwIBAQIQMcWR+VPwTi..."
]
// ...
}

107. @mooreds
Which Matches
107

108. @mooreds
108
{
"typ": "JWT",
"alg": "RS256",
"kid": "uk0PWf8KkTKiJqWwrNjn16QoKKI"
}

109. @mooreds
Refresh
Tokens
109

110. @mooreds
Lifetimes
● JWTs are meant to be short lived (minutes)
110

111. @mooreds
Lifetimes
● JWTs are meant to be short lived (minutes)
● Refresh tokens are long lived (days or months)
111

112. @mooreds
Lifetimes
● JWTs are meant to be short lived (minutes)
● Refresh tokens are long lived (days or months)
● Refresh tokens can be used to create new JWTs
112

113. @mooreds
Why?
● Compromise between two unsavory options
113

114. @mooreds
Why?
● Compromise between two unsavory options
● User authenticating regularly
○ User hassle
114

115. @mooreds
Why?
● Compromise between two unsavory options
● User authenticating regularly
○ User hassle
● Long lived JWTs
○ Security risk
115

116. @mooreds
116
User API
Todo API
users
todos
user
user
R
T
J
W
T

117. @mooreds
117
User API
Todo API
users
todos
user
user
J
W
T R
T
R
T
J
W
T

118. @mooreds
118
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
R
T
R
T
J
W
T

119. @mooreds
119
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
R
T
R
T
J
W
T
Todo data

120. @mooreds
120
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
R
T
R
T
J
W
T

121. @mooreds
121
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
R
T
R
T
J
W
T

122. @mooreds
122
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
R
T
R
T
J
W
T
R
T

123. @mooreds
123
User API
Todo API
users
todos
user
user
J
W
T R
T
R
T
J
W
T

124. @mooreds
124
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
R
T
R
T
J
W
T

125. @mooreds
125
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
R
T
R
T
J
W
T
Todo data

126. @mooreds
Logout
● Revoking refresh token
126

127. @mooreds
127
User API
Todo API
users
todos
user
user
J
W
T
XR
T
R
T
Logout
X
X

128. @mooreds
JWT Revocation
128

129. @mooreds
Can You Do It?
129

130. @mooreds
Kinda
● You have a few options
130

131. @mooreds
Kinda
● You have a few options
○ Rotate keys
131

132. @mooreds
Kinda
● You have a few options
○ Rotate keys
○ Really short lifetimes
132

133. @mooreds
Kinda
● You have a few options
○ Rotate keys
○ Really short lifetimes
○ Deny list
133

134. @mooreds
134
User API
Todo API
users
todos
user
user
J
W
T
XR
T
R
T
Logout
X
X
jwt.refresh-token.revoke event
Webhook

135. @mooreds
JWTs + PHP
● What are you trying to accomplish?
○ Generate or parse a raw JWT
■ firebase/php-jwt
○ Consume a JWT in an API
■ Look at your framework
■ https://fusionauth.link/lhp-laravel-jwt-auth-provider
■ https://fusionauth.link/lhp-wp-jwt-auth-provider (only hmac)
■ https://fusionauth.link/lhp-symfony-jwt-auth-provider
■ https://fusionauth.link/lhp-laravel-api-quickstart
135

136. @mooreds
In
Conclusion
136

137. @mooreds
Thanks & Questions
● Contact me for more info:
○ dan@fusionauth.io
○ https://twitter.com/mooreds
○ https://fusionauth.io
● Links
○ Feedback/slides:
https://joind.in/event/longhorn-php-conference-2023/what-php-developers-need-to-k
now-about-jwts
○ https://fusionauth.link/lhp-php-jwt-example
○ https://fusionauth.link/decode-jwt
○ https://fusionauth.link/lhp-secure-jwt
○ https://fusionauth.link/lhp-jwt-components
○ FusionAuth Community Edition (free!): https://fusionauth.link/lhp-dl
137