Peltekis.dev

Implementing JWT Authentication in PHP

September 28, 2024

In modern web applications, securing APIs and protecting user data is crucial. One of the most common methods to handle authentication is by using JWT (JSON Web Tokens). JWT is a compact, URL-safe token format that allows you to securely transmit information between parties as a JSON object.

What is JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between a client and a server. It’s often used for authorization purposes, enabling stateless authentication by embedding user data within the token itself.

A JWT consists of three parts:

  1. Header: Contains metadata about the type of token and the algorithm used for encryption (usually HS256 or RS256).
  2. Payload: Contains the claims or the actual data, such as user ID or roles.
  3. Signature: Ensures the token hasn’t been altered.

These three parts are encoded separately using Base64Url encoding and concatenated with periods (.) to form the complete JWT, which looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Why Use JWT for Authentication?

JWT is commonly used for stateless authentication, meaning the server doesn’t need to store session data. This provides several advantages:

  • Scalability: Since the server doesn’t need to keep track of sessions, it can scale easily.
  • Cross-Domain Support: JWT can be used across different domains, making it suitable for APIs.
  • Self-Contained: The token contains all the information needed to verify the user’s identity.

Implementing JWT in PHP

Step 1: Install Required Libraries

To handle JWT in PHP, we can use the firebase/php-jwt library. You can install it via Composer:

composer require firebase/php-jwt

Step 2: Create a JWT Token

Here’s a simple example of creating a JWT token after a user successfully logs in:

use Firebase\JWT\JWT;
use Firebase\JWT\ExpiredException;

// Your secret key
$secretKey = "your_secret_key";

// Sample user data
$userData = [
    "id" => 1,
    "username" => "john_doe"
];

// Create a JWT token
$issuedAt = time();
$expirationTime = $issuedAt + 3600;  // jwt valid for 1 hour
$payload = [
    "iat" => $issuedAt,
    "exp" => $expirationTime,
    "data" => $userData
];

$jwt = JWT::encode($payload, $secretKey);
echo "Generated JWT: " . $jwt;

Step 3: Validate the JWT Token

When a client makes a request to a protected route, you need to validate the token:

try {
    $decoded = JWT::decode($jwt, $secretKey, ['HS256']);
    print_r($decoded);
} catch (ExpiredException $e) {
    echo "Token has expired.";
} catch (Exception $e) {
    echo "Token is invalid.";
}

Step 4: Use Middleware for Authentication

In a real-world application, it’s a good practice to create middleware to handle JWT validation for protected routes. This way, you can easily reuse the authentication logic.

function authenticate($jwt) {
    global $secretKey;

    try {
        $decoded = JWT::decode($jwt, $secretKey, ['HS256']);
        return $decoded->data;
    } catch (Exception $e) {
        return null; // Token is invalid
    }
}

JWT provides a powerful way to handle authentication in PHP applications. By using JWT, you can create secure, stateless APIs that can scale easily. With the provided code snippets, you can get started on implementing JWT authentication in your PHP application.