123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304 |
- <?php
- /*
- * This file is part of jwt-auth.
- *
- * (c) Sean Tymon <tymon148@gmail.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
- return [
- /*
- |--------------------------------------------------------------------------
- | JWT Authentication Secret
- |--------------------------------------------------------------------------
- |
- | Don't forget to set this in your .env file, as it will be used to sign
- | your tokens. A helper command is provided for this:
- | `php artisan jwt:secret`
- |
- | Note: This will be used for Symmetric algorithms only (HMAC),
- | since RSA and ECDSA use a private/public key combo (See below).
- |
- */
- 'secret' => env('JWT_SECRET'),
- /*
- |--------------------------------------------------------------------------
- | JWT Authentication Keys
- |--------------------------------------------------------------------------
- |
- | The algorithm you are using, will determine whether your tokens are
- | signed with a random string (defined in `JWT_SECRET`) or using the
- | following public & private keys.
- |
- | Symmetric Algorithms:
- | HS256, HS384 & HS512 will use `JWT_SECRET`.
- |
- | Asymmetric Algorithms:
- | RS256, RS384 & RS512 / ES256, ES384 & ES512 will use the keys below.
- |
- */
- 'keys' => [
- /*
- |--------------------------------------------------------------------------
- | Public Key
- |--------------------------------------------------------------------------
- |
- | A path or resource to your public key.
- |
- | E.g. 'file://path/to/public/key'
- |
- */
- 'public' => env('JWT_PUBLIC_KEY'),
- /*
- |--------------------------------------------------------------------------
- | Private Key
- |--------------------------------------------------------------------------
- |
- | A path or resource to your private key.
- |
- | E.g. 'file://path/to/private/key'
- |
- */
- 'private' => env('JWT_PRIVATE_KEY'),
- /*
- |--------------------------------------------------------------------------
- | Passphrase
- |--------------------------------------------------------------------------
- |
- | The passphrase for your private key. Can be null if none set.
- |
- */
- 'passphrase' => env('JWT_PASSPHRASE'),
- ],
- /*
- |--------------------------------------------------------------------------
- | JWT time to live
- |--------------------------------------------------------------------------
- |
- | Specify the length of time (in minutes) that the token will be valid for.
- | Defaults to 1 hour.
- |
- | You can also set this to null, to yield a never expiring token.
- | Some people may want this behaviour for e.g. a mobile app.
- | This is not particularly recommended, so make sure you have appropriate
- | systems in place to revoke the token if necessary.
- | Notice: If you set this to null you should remove 'exp' element from 'required_claims' list.
- |
- */
- 'ttl' => env('JWT_TTL', 2628000),
- /*
- |--------------------------------------------------------------------------
- | Refresh time to live
- |--------------------------------------------------------------------------
- |
- | Specify the length of time (in minutes) that the token can be refreshed
- | within. I.E. The user can refresh their token within a 2 week window of
- | the original token being created until they must re-authenticate.
- | Defaults to 2 weeks.
- |
- | You can also set this to null, to yield an infinite refresh time.
- | Some may want this instead of never expiring tokens for e.g. a mobile app.
- | This is not particularly recommended, so make sure you have appropriate
- | systems in place to revoke the token if necessary.
- |
- */
- 'refresh_ttl' => env('JWT_REFRESH_TTL', 2628000),
- /*
- |--------------------------------------------------------------------------
- | JWT hashing algorithm
- |--------------------------------------------------------------------------
- |
- | Specify the hashing algorithm that will be used to sign the token.
- |
- | See here: https://github.com/namshi/jose/tree/master/src/Namshi/JOSE/Signer/OpenSSL
- | for possible values.
- |
- */
- 'algo' => env('JWT_ALGO', 'HS256'),
- /*
- |--------------------------------------------------------------------------
- | Required Claims
- |--------------------------------------------------------------------------
- |
- | Specify the required claims that must exist in any token.
- | A TokenInvalidException will be thrown if any of these claims are not
- | present in the payload.
- |
- */
- 'required_claims' => [
- 'iss',
- 'iat',
- 'exp',
- 'nbf',
- 'sub',
- 'jti',
- ],
- /*
- |--------------------------------------------------------------------------
- | Persistent Claims
- |--------------------------------------------------------------------------
- |
- | Specify the claim keys to be persisted when refreshing a token.
- | `sub` and `iat` will automatically be persisted, in
- | addition to the these claims.
- |
- | Note: If a claim does not exist then it will be ignored.
- |
- */
- 'persistent_claims' => [
- // 'foo',
- // 'bar',
- ],
- /*
- |--------------------------------------------------------------------------
- | Lock Subject
- |--------------------------------------------------------------------------
- |
- | This will determine whether a `prv` claim is automatically added to
- | the token. The purpose of this is to ensure that if you have multiple
- | authentication models e.g. `App\User` & `App\OtherPerson`, then we
- | should prevent one authentication request from impersonating another,
- | if 2 tokens happen to have the same id across the 2 different models.
- |
- | Under specific circumstances, you may want to disable this behaviour
- | e.g. if you only have one authentication model, then you would save
- | a little on token size.
- |
- */
- 'lock_subject' => true,
- /*
- |--------------------------------------------------------------------------
- | Leeway
- |--------------------------------------------------------------------------
- |
- | This property gives the jwt timestamp claims some "leeway".
- | Meaning that if you have any unavoidable slight clock skew on
- | any of your servers then this will afford you some level of cushioning.
- |
- | This applies to the claims `iat`, `nbf` and `exp`.
- |
- | Specify in seconds - only if you know you need it.
- |
- */
- 'leeway' => env('JWT_LEEWAY', 0),
- /*
- |--------------------------------------------------------------------------
- | Blacklist Enabled
- |--------------------------------------------------------------------------
- |
- | In order to invalidate tokens, you must have the blacklist enabled.
- | If you do not want or need this functionality, then set this to false.
- |
- */
- 'blacklist_enabled' => env('JWT_BLACKLIST_ENABLED', true),
- /*
- | -------------------------------------------------------------------------
- | Blacklist Grace Period
- | -------------------------------------------------------------------------
- |
- | When multiple concurrent requests are made with the same JWT,
- | it is possible that some of them fail, due to token regeneration
- | on every request.
- |
- | Set grace period in seconds to prevent parallel request failure.
- |
- */
- 'blacklist_grace_period' => env('JWT_BLACKLIST_GRACE_PERIOD', 0),
- /*
- |--------------------------------------------------------------------------
- | Cookies encryption
- |--------------------------------------------------------------------------
- |
- | By default Laravel encrypt cookies for security reason.
- | If you decide to not decrypt cookies, you will have to configure Laravel
- | to not encrypt your cookie token by adding its name into the $except
- | array available in the middleware "EncryptCookies" provided by Laravel.
- | see https://laravel.com/docs/master/responses#cookies-and-encryption
- | for details.
- |
- | Set it to true if you want to decrypt cookies.
- |
- */
- 'decrypt_cookies' => false,
- /*
- |--------------------------------------------------------------------------
- | Providers
- |--------------------------------------------------------------------------
- |
- | Specify the various providers used throughout the package.
- |
- */
- 'providers' => [
- /*
- |--------------------------------------------------------------------------
- | JWT Provider
- |--------------------------------------------------------------------------
- |
- | Specify the provider that is used to create and decode the tokens.
- |
- */
- 'jwt' => Tymon\JWTAuth\Providers\JWT\Lcobucci::class,
- /*
- |--------------------------------------------------------------------------
- | Authentication Provider
- |--------------------------------------------------------------------------
- |
- | Specify the provider that is used to authenticate users.
- |
- */
- 'auth' => Tymon\JWTAuth\Providers\Auth\Illuminate::class,
- /*
- |--------------------------------------------------------------------------
- | Storage Provider
- |--------------------------------------------------------------------------
- |
- | Specify the provider that is used to store tokens in the blacklist.
- |
- */
- 'storage' => Tymon\JWTAuth\Providers\Storage\Illuminate::class,
- ],
- ];
|