jwt.php 9.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304
  1. <?php
  2. /*
  3. * This file is part of jwt-auth.
  4. *
  5. * (c) Sean Tymon <tymon148@gmail.com>
  6. *
  7. * For the full copyright and license information, please view the LICENSE
  8. * file that was distributed with this source code.
  9. */
  10. return [
  11. /*
  12. |--------------------------------------------------------------------------
  13. | JWT Authentication Secret
  14. |--------------------------------------------------------------------------
  15. |
  16. | Don't forget to set this in your .env file, as it will be used to sign
  17. | your tokens. A helper command is provided for this:
  18. | `php artisan jwt:secret`
  19. |
  20. | Note: This will be used for Symmetric algorithms only (HMAC),
  21. | since RSA and ECDSA use a private/public key combo (See below).
  22. |
  23. */
  24. 'secret' => env('JWT_SECRET'),
  25. /*
  26. |--------------------------------------------------------------------------
  27. | JWT Authentication Keys
  28. |--------------------------------------------------------------------------
  29. |
  30. | The algorithm you are using, will determine whether your tokens are
  31. | signed with a random string (defined in `JWT_SECRET`) or using the
  32. | following public & private keys.
  33. |
  34. | Symmetric Algorithms:
  35. | HS256, HS384 & HS512 will use `JWT_SECRET`.
  36. |
  37. | Asymmetric Algorithms:
  38. | RS256, RS384 & RS512 / ES256, ES384 & ES512 will use the keys below.
  39. |
  40. */
  41. 'keys' => [
  42. /*
  43. |--------------------------------------------------------------------------
  44. | Public Key
  45. |--------------------------------------------------------------------------
  46. |
  47. | A path or resource to your public key.
  48. |
  49. | E.g. 'file://path/to/public/key'
  50. |
  51. */
  52. 'public' => env('JWT_PUBLIC_KEY'),
  53. /*
  54. |--------------------------------------------------------------------------
  55. | Private Key
  56. |--------------------------------------------------------------------------
  57. |
  58. | A path or resource to your private key.
  59. |
  60. | E.g. 'file://path/to/private/key'
  61. |
  62. */
  63. 'private' => env('JWT_PRIVATE_KEY'),
  64. /*
  65. |--------------------------------------------------------------------------
  66. | Passphrase
  67. |--------------------------------------------------------------------------
  68. |
  69. | The passphrase for your private key. Can be null if none set.
  70. |
  71. */
  72. 'passphrase' => env('JWT_PASSPHRASE'),
  73. ],
  74. /*
  75. |--------------------------------------------------------------------------
  76. | JWT time to live
  77. |--------------------------------------------------------------------------
  78. |
  79. | Specify the length of time (in minutes) that the token will be valid for.
  80. | Defaults to 1 hour.
  81. |
  82. | You can also set this to null, to yield a never expiring token.
  83. | Some people may want this behaviour for e.g. a mobile app.
  84. | This is not particularly recommended, so make sure you have appropriate
  85. | systems in place to revoke the token if necessary.
  86. | Notice: If you set this to null you should remove 'exp' element from 'required_claims' list.
  87. |
  88. */
  89. 'ttl' => env('JWT_TTL', 2628000),
  90. /*
  91. |--------------------------------------------------------------------------
  92. | Refresh time to live
  93. |--------------------------------------------------------------------------
  94. |
  95. | Specify the length of time (in minutes) that the token can be refreshed
  96. | within. I.E. The user can refresh their token within a 2 week window of
  97. | the original token being created until they must re-authenticate.
  98. | Defaults to 2 weeks.
  99. |
  100. | You can also set this to null, to yield an infinite refresh time.
  101. | Some may want this instead of never expiring tokens for e.g. a mobile app.
  102. | This is not particularly recommended, so make sure you have appropriate
  103. | systems in place to revoke the token if necessary.
  104. |
  105. */
  106. 'refresh_ttl' => env('JWT_REFRESH_TTL', 2628000),
  107. /*
  108. |--------------------------------------------------------------------------
  109. | JWT hashing algorithm
  110. |--------------------------------------------------------------------------
  111. |
  112. | Specify the hashing algorithm that will be used to sign the token.
  113. |
  114. | See here: https://github.com/namshi/jose/tree/master/src/Namshi/JOSE/Signer/OpenSSL
  115. | for possible values.
  116. |
  117. */
  118. 'algo' => env('JWT_ALGO', 'HS256'),
  119. /*
  120. |--------------------------------------------------------------------------
  121. | Required Claims
  122. |--------------------------------------------------------------------------
  123. |
  124. | Specify the required claims that must exist in any token.
  125. | A TokenInvalidException will be thrown if any of these claims are not
  126. | present in the payload.
  127. |
  128. */
  129. 'required_claims' => [
  130. 'iss',
  131. 'iat',
  132. 'exp',
  133. 'nbf',
  134. 'sub',
  135. 'jti',
  136. ],
  137. /*
  138. |--------------------------------------------------------------------------
  139. | Persistent Claims
  140. |--------------------------------------------------------------------------
  141. |
  142. | Specify the claim keys to be persisted when refreshing a token.
  143. | `sub` and `iat` will automatically be persisted, in
  144. | addition to the these claims.
  145. |
  146. | Note: If a claim does not exist then it will be ignored.
  147. |
  148. */
  149. 'persistent_claims' => [
  150. // 'foo',
  151. // 'bar',
  152. ],
  153. /*
  154. |--------------------------------------------------------------------------
  155. | Lock Subject
  156. |--------------------------------------------------------------------------
  157. |
  158. | This will determine whether a `prv` claim is automatically added to
  159. | the token. The purpose of this is to ensure that if you have multiple
  160. | authentication models e.g. `App\User` & `App\OtherPerson`, then we
  161. | should prevent one authentication request from impersonating another,
  162. | if 2 tokens happen to have the same id across the 2 different models.
  163. |
  164. | Under specific circumstances, you may want to disable this behaviour
  165. | e.g. if you only have one authentication model, then you would save
  166. | a little on token size.
  167. |
  168. */
  169. 'lock_subject' => true,
  170. /*
  171. |--------------------------------------------------------------------------
  172. | Leeway
  173. |--------------------------------------------------------------------------
  174. |
  175. | This property gives the jwt timestamp claims some "leeway".
  176. | Meaning that if you have any unavoidable slight clock skew on
  177. | any of your servers then this will afford you some level of cushioning.
  178. |
  179. | This applies to the claims `iat`, `nbf` and `exp`.
  180. |
  181. | Specify in seconds - only if you know you need it.
  182. |
  183. */
  184. 'leeway' => env('JWT_LEEWAY', 0),
  185. /*
  186. |--------------------------------------------------------------------------
  187. | Blacklist Enabled
  188. |--------------------------------------------------------------------------
  189. |
  190. | In order to invalidate tokens, you must have the blacklist enabled.
  191. | If you do not want or need this functionality, then set this to false.
  192. |
  193. */
  194. 'blacklist_enabled' => env('JWT_BLACKLIST_ENABLED', true),
  195. /*
  196. | -------------------------------------------------------------------------
  197. | Blacklist Grace Period
  198. | -------------------------------------------------------------------------
  199. |
  200. | When multiple concurrent requests are made with the same JWT,
  201. | it is possible that some of them fail, due to token regeneration
  202. | on every request.
  203. |
  204. | Set grace period in seconds to prevent parallel request failure.
  205. |
  206. */
  207. 'blacklist_grace_period' => env('JWT_BLACKLIST_GRACE_PERIOD', 0),
  208. /*
  209. |--------------------------------------------------------------------------
  210. | Cookies encryption
  211. |--------------------------------------------------------------------------
  212. |
  213. | By default Laravel encrypt cookies for security reason.
  214. | If you decide to not decrypt cookies, you will have to configure Laravel
  215. | to not encrypt your cookie token by adding its name into the $except
  216. | array available in the middleware "EncryptCookies" provided by Laravel.
  217. | see https://laravel.com/docs/master/responses#cookies-and-encryption
  218. | for details.
  219. |
  220. | Set it to true if you want to decrypt cookies.
  221. |
  222. */
  223. 'decrypt_cookies' => false,
  224. /*
  225. |--------------------------------------------------------------------------
  226. | Providers
  227. |--------------------------------------------------------------------------
  228. |
  229. | Specify the various providers used throughout the package.
  230. |
  231. */
  232. 'providers' => [
  233. /*
  234. |--------------------------------------------------------------------------
  235. | JWT Provider
  236. |--------------------------------------------------------------------------
  237. |
  238. | Specify the provider that is used to create and decode the tokens.
  239. |
  240. */
  241. 'jwt' => Tymon\JWTAuth\Providers\JWT\Lcobucci::class,
  242. /*
  243. |--------------------------------------------------------------------------
  244. | Authentication Provider
  245. |--------------------------------------------------------------------------
  246. |
  247. | Specify the provider that is used to authenticate users.
  248. |
  249. */
  250. 'auth' => Tymon\JWTAuth\Providers\Auth\Illuminate::class,
  251. /*
  252. |--------------------------------------------------------------------------
  253. | Storage Provider
  254. |--------------------------------------------------------------------------
  255. |
  256. | Specify the provider that is used to store tokens in the blacklist.
  257. |
  258. */
  259. 'storage' => Tymon\JWTAuth\Providers\Storage\Illuminate::class,
  260. ],
  261. ];