JWT API Authentication

By default, packeton is storage api tokens in database for each user. But when user loaded from custom user provider, like LDAP need to enable JWT configuration to use API. So Packeton can be configured with a non-standard login type to support JSON Web Tokens.

The JSON Web Token integration in Packeton uses the Firebase library. Also, JWT authentication can be enabled only for API.

Add yaml configuration file to path config/packages/, for example config/packages/jwt.yaml to enable it.

packeton:
    jwt_authentication:
        private_key: '%kernel.project_dir%/var/jwt/eddsa-key.pem'
        public_key: '%kernel.project_dir%/var/jwt/eddsa-public.pem'

Full configurations:

# config/packages/config/packages/jwt.yaml
packeton:
    jwt_authentication:
        private_key: '%kernel.project_dir%/var/jwt/eddsa-key.pem' # required for token sign
        public_key: '%kernel.project_dir%/var/jwt/eddsa-public.pem' # required for token verification
        passphrase: ~
        algo: EdDSA # Sign algo, here libsodium EdDSA

Generate the public/private keys

bin/console packagist:jwt:generate-keypair

bin/console packagist:jwt:generate-keypair --overwrite

Available options:

• --overwrite will overwrite your keys if they already exist.

If keys already exists, a warning message will be raised to prevent you from overwriting your keys accidentally.

JWT Token TTL.

JWT Token is never expire. It was done for compatibility with composer basic HTTP authorization. Each time the api is called, Packeton is checked that the user exists in the database and that he has the same set of permissions and roles.

Digital signatures algos.

We support all algos from Firebase lib: HMAC, OpenSSL RSA, OpenSSL

Rsa, HMAC, EdDSA algorithms generate invariant tokens, i.e. the value of the token will be constant for the same user. It might be convenient as the app does not store the generated tokens.

Example how to change algo:

packeton:
    jwt_authentication:
    ...
        algo: RS256 # RSA 256

Generating keys using OpenSSL

Example, how to generate an RSA private key, key.pem - private key. public.pem - public

openssl genrsa -out key.pem 2048
openssl rsa -in key.pem -outform PEM -pubout -out public.pem

Example, how to generate an ES256 (elliptic curve) key pairs.

openssl ecparam -name prime256v1 -genkey -noout -out key.pem
openssl ec -in key.pem -pubout -out public.pem

Obtain the token

You can run command packagist:user:manager to show the api token:

bin/console packagist:user:manager admin --show-token --token-format=jwt

Or you can found api token on your profile page.

Use the token

Simply use the JWT, like standard API token for composer api.

Cache LDAP user loading.

Since 2.0 composer downloads all packages in parallel, it may run more 12 request at the same time. To prevent calls external LDAP provider each time for JWT token verify, the obtained LDAP user object placed to cache with 60 sec TTL.