kreait / firebase-tokens
A library to work with Firebase tokens
Fund package maintenance!
jeromegamez
Installs: 23 400 839
Dependents: 17
Suggesters: 0
Security: 0
Stars: 223
Watchers: 5
Forks: 33
Open Issues: 0
Requires
- php: ~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0
- ext-json: *
- ext-openssl: *
- beste/clock: ^3.0
- fig/http-message-util: ^1.1.5
- guzzlehttp/guzzle: ^7.8
- lcobucci/jwt: ^5.2
- psr/cache: ^1.0|^2.0|^3.0
Requires (Dev)
- friendsofphp/php-cs-fixer: ^3.62.0
- phpstan/extension-installer: ^1.4.1
- phpstan/phpstan: ^1.11.10
- phpstan/phpstan-phpunit: ^1.4.0
- phpunit/phpunit: ^10.5.30
- rector/rector: ^1.2.3
- symfony/cache: ^6.4.3 || ^7.1.3
- symfony/var-dumper: ^6.4.3 || ^7.1.3
Suggests
- psr/cache-implementation: to cache fetched remote public keys
- 5.x-dev
- 5.2.0
- 5.1.0
- 5.0.1
- 5.0.0
- 4.x-dev
- 4.3.0
- 4.2.0
- 4.1.0
- 4.0.0
- 3.0.3
- 3.0.2
- 3.0.1
- 3.0
- 2.3.1
- 2.3.0
- 2.2.0
- 2.1.1
- 2.1.0
- 2.0.1
- 2.0.0
- 1.17.0
- 1.16.3
- 1.16.2
- 1.16.1
- 1.16.0
- 1.15.0
- 1.14.0
- 1.13.0
- 1.12.0
- 1.11.0
- 1.10.0
- 1.9.2
- 1.9.1
- 1.9.0
- 1.8.1
- 1.8.0
- 1.7.2
- 1.7.1
- 1.7.0
- 1.6.1
- 1.6.0
- 1.5.0
- 1.4.0
- 1.3.0
- 1.2.1
- 1.2.0
- 1.1.1
- 1.1.0
- 1.0.1
- 1.0.0
This package is auto-updated.
Last update: 2024-10-16 23:54:32 UTC
README
A library to work with Google Firebase tokens. You can use it to create custom tokens and verify ID Tokens.
Achieve more with the Firebase Admin SDK for PHP (which uses this library).
The future of the Firebase Admin PHP SDK
Please read about the future of the Firebase Admin PHP SDK on the SDK's GitHub Repository.
Installation
composer require kreait/firebase-tokens
Simple usage
Create a custom token
More information on what a custom token is and how it can be used can be found in Google's official documentation.
<?php use Kreait\Firebase\JWT\CustomTokenGenerator; $clientEmail = '...'; $privateKey = '...'; $generator = CustomTokenGenerator::withClientEmailAndPrivateKey($clientEmail, $privateKey); $token = $generator->createCustomToken('uid', ['first_claim' => 'first_value' /* ... */]); echo $token; // Output: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.e...
Verify an ID token
The ID token verification methods included in the Firebase Admin SDKs are meant to verify ID tokens that come from the client SDKs, not the custom tokens that you create with the Admin SDKs. See Auth tokens for more information.
<?php use Kreait\Firebase\JWT\Error\IdTokenVerificationFailed; use Kreait\Firebase\JWT\IdTokenVerifier; $projectId = '...'; $idToken = 'eyJhb...'; // An ID token given to your backend by a Client application $verifier = IdTokenVerifier::createWithProjectId($projectId); try { $token = $verifier->verifyIdToken($idToken); } catch (IdTokenVerificationFailed $e) { echo $e->getMessage(); // Example Output: // The value 'eyJhb...' is not a verified ID token: // - The token is expired. exit; } try { $token = $verifier->verifyIdTokenWithLeeway($idToken, $leewayInSeconds = 10000000); } catch (IdTokenVerificationFailed $e) { print $e->getMessage(); exit; }
Verify a Session Cookie
Session cookie verification is similar to ID Token verification.
See Manage Session Cookies for more information.
<?php use Kreait\Firebase\JWT\Error\SessionCookieVerificationFailed; use Kreait\Firebase\JWT\SessionCookieVerifier; $projectId = '...'; $sessionCookie = 'eyJhb...'; // A session cookie given to your backend by a Client application $verifier = SessionCookieVerifier::createWithProjectId($projectId); try { $token = $verifier->verifySessionCookie($sessionCookie); } catch (SessionCookieVerificationFailed $e) { echo $e->getMessage(); // Example Output: // The value 'eyJhb...' is not a verified ID token: // - The token is expired. exit; } try { $token = $verifier->verifySessionCookieWithLeeway($sessionCookie, $leewayInSeconds = 10000000); } catch (SessionCookieVerificationFailed $e) { print $e->getMessage(); exit; }
Tokens
Tokens returned from the Generator and Verifier are instances of \Kreait\Firebase\JWT\Contract\Token
and
represent a JWT. The displayed outputs are examples and vary depending on
the information associated with the given user in your project's auth database.
According to the JWT specification, you can expect the following payload fields to be always
available: iss
, aud
, auth_time
, sub
, iat
, exp
. Other fields depend on the
authentication method of the given account and the information stored in your project's
Auth database.
$token = $verifier->verifyIdToken('eyJhb...'); // An ID token given to your backend by a Client application echo json_encode($token->headers(), JSON_PRETTY_PRINT); // { // "alg": "RS256", // "kid": "e5a91d9f39fa4de254a1e89df00f05b7e248b985", // "typ": "JWT" // } echo json_encode($token->payload(), JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES); // { // "name": "Jane Doe", // "picture": "https://domain.tld/picture.jpg", // "iss": "https://securetoken.google.com/your-project-id", // "aud": "your-project-id", // "auth_time": 1580063945, // "user_id": "W0IturDwy4TYTmX6ilkd2ZbAXRp2", // "sub": "W0IturDwy4TYTmX6ilkd2ZbAXRp2", // "iat": 1580063945, // "exp": 1580067545, // "email": "jane@doe.tld", // "email_verified": true, // "phone_number": "+1234567890", // "firebase": { // "identities": { // "phone": [ // "+1234567890" // ], // "email": [ // "jane@doe.tld" // ] // }, // "sign_in_provider": "custom" // } // } echo $token->toString(); // eyJhb... $tokenString = (string) $token; // string // eyJhb...
Tenant Awareness
You can create custom tokens that are scoped to a given tenant:
<?php use Kreait\Firebase\JWT\CustomTokenGenerator; $generator = CustomTokenGenerator::withClientEmailAndPrivateKey('...', '...'); $tenantAwareGenerator = $generator->withTenantId('my-tenant-id');
Similarly, you can verify that ID tokens were issued in the scope of a given tenant:
<?php use Kreait\Firebase\JWT\IdTokenVerifier; $verifier = IdTokenVerifier::createWithProjectId('my-project-id'); $tenantAwareVerifier = $verifier->withExpectedTenantId('my-tenant-id');
Session cookies currently don't support tenants.
Advanced usage
Cache results from the Google Secure Token Store
In order to verify ID tokens, the verifier makes a call to fetch Firebase's currently available public keys. The keys are cached in memory by default.
If you want to cache the public keys more effectively, you can initialize the verifier with an implementation of psr/simple-cache or psr/cache to reduce the amount of HTTP requests to Google's servers.
Here's an example using the Symfony Cache Component:
use Kreait\Firebase\JWT\IdTokenVerifier; use Symfony\Component\Cache\Adapter\FilesystemAdapter; $cache = new FilesystemAdapter(); $verifier = IdTokenVerifier::createWithProjectIdAndCache($projectId, $cache);
Supported Versions
Only the latest version is actively supported.
Earlier versions will receive security fixes as long as their lowest PHP requirement receives security fixes. For example, when a version supports PHP 7.4 and PHP 8.0, security support will end when security support for PHP 7.4 ends.
License
The MIT License (MIT). Please see License File for more information.