单页应用程序授权

Question

I'm developing SPA Application on AngularJS that receives data from REST Api written on PHP. I need to implement JWT authorization for it. I got simple PHP JWT library that can encode and decode JWT tokens, but don't know how to verify JWT token. Can someone explain me the steps of JWT verification on PHP side?

Answer 1

You need to decode the header first (which is the first part of the JWT after you split by periods ".") this will contain the algorithm used to sign like:

{
  "alg": "HS256",
  "cty": "JWT"
}

This means that HMAC with SHA-256 was used to create the signature of this token. An HMAC is a MAC generated by concatenating a secret to the message and computing the hash, in this case the hash function is SHA-256. Since, given a HASH is imposible (or at least very expensive in hardware terms) to compute the input, even knowing what is the message you can't guess the key. But given the message (second part of the JWT) and the key, you can compute the hash again and validate if is equal to the signature (third part of the JWT). There is more information about HMAC in this answer 1 .

It goes without saying that although this is a very common algorithm for JWTs is not the only one, and hence the header to indicate the algorithm. For instance Google JWTs are signed with an asymmetric secret, ie they publish the public part of the key that can be used to verify signatures but it can't be used to sign. This algorithm is RS256 (aka RSA SHA-256).

You will find this website really useful to debug 2 . You can also see here the different algorithms and a collection of different implementations in many languages.

Firebase guys have a PHP implementation that can sign and verify JWTs 3 .