JWT without users database

[leon0399]

Summary

Nowadays many projects are made using microservices approach, and it would be nice to have support to use JWTs without having users in database (basically, just parse token claims, maybe omitting regitered claims?), to support tokens, issued by other party

[mfn]

2.0 roadmap ? 🤔

[mattvb91]

Currently looking for exactly this. I just need a temporary token to make a request to another service which in turns uses the token to validate against the api for some data.

[v131313]

Write custom middleware

namespace App\Http\Middleware;

use App\Models\User;
use Closure;
use Illuminate\Http\Request;
use PHPOpenSourceSaver\JWTAuth\Exceptions\JWTException;
use PHPOpenSourceSaver\JWTAuth\JWTAuth;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;

class JwtAuthGetUserFromToken
{
    /**
     * Handle an incoming request.
     *
     * @param Request $request
     *
     * @return mixed
     *
     * @throws UnauthorizedHttpException
     */
    /**
     * The JWT Authenticator.
     */
    protected JWTAuth $auth;

    /**
     * Create a new BaseMiddleware instance.
     *
     * @return void
     */
    public function __construct(JWTAuth $auth)
    {
        $this->auth = $auth;
    }

    /**
     * Check the request for the presence of a token.
     *
     * @return void
     *
     * @throws BadRequestHttpException
     */
    public function checkForToken(Request $request)
    {
        if (!$this->auth->parser()->setRequest($request)->hasToken()) {
            throw new UnauthorizedHttpException('jwt-auth', 'Token not provided');
        }
    }

    /**
     * Attempt to authenticate a user via the token in the request.
     *
     * @return void
     *
     * @throws UnauthorizedHttpException
     */
    public function authenticate(Request $request)
    {
        try {
            $this->checkForToken($request);
            $payload = $this->auth->parseToken()->getPayload();

            $userPayload = $payload->get('user');
            if (is_null($userPayload)) {
                throw new UnauthorizedHttpException('jwt-auth', 'User data not found in token');
            }
            $user = new User($userPayload);
            $user->id = $payload->get('sub');

            if (!$user->id) {
                throw new UnauthorizedHttpException('jwt-auth', 'User ID not provided');
            }
            \Auth::login($user);

        } catch (JWTException $e) {
            throw new UnauthorizedHttpException('jwt-auth', $e->getMessage(), $e, $e->getCode());
        }
    }

    public function handle($request, Closure $next)
    {
        $this->authenticate($request);

        return $next($request);
    }
}

How to create token:
$credentials = request(['email', 'password']);
$user = User::where('email', $credentials['email'])->first();
$token = JWTAuth::claims(['user' => $user])->attempt($credentials))

[alexanderkraemer]

Also for validating the token with the public key of a external service using the external services jwks Endpoint would be awesome.
Currently I implemented this on my own, because this lib does not seem to support it.

[eschricker]

@alexanderkraemer you are welcomed to create a PR

[mfn]

Note: 2.0.0 was released (due to Octane support), so it won't be on the 2.0.0 roadmap anymore ;)

[Dectom]

I'm looking for a way of achieving this as I issue the JWT from a separate service to which is consuming it

Is there any way with this package to just parse a JWT without it linking back to a user?

[Messhias]

I'm looking for a way of achieving this as I issue the JWT from a separate service which is consuming it

Is there any way this package can parse a JWT without linking back to a user?

Change the guards in the config, you don't need to use a user from the database itself. Take a look at jwt driver.

[Messhias]

I'm looking for a way of achieving this as I issue the JWT from a separate service which is consuming it
Is there any way this package can parse a JWT without linking back to a user?

Change the guards in the config, you don't need to use a user from the database itself. Take a look at jwt driver.

Since there's no more activity in this thread anymore I believe this one solved the issue.