jwt.php
1 <?php 2 3 /* 4 * This file is part of jwt-auth. 5 * 6 * (c) Sean Tymon <tymon148@gmail.com> 7 * 8 * For the full copyright and license information, please view the LICENSE 9 * file that was distributed with this source code. 10 */ 11 12 return [ 13 14 /* 15 |-------------------------------------------------------------------------- 16 | JWT Authentication Secret 17 |-------------------------------------------------------------------------- 18 | 19 | Don't forget to set this in your .env file, as it will be used to sign 20 | your tokens. A helper command is provided for this: 21 | `php artisan jwt:secret` 22 | 23 | Note: This will be used for Symmetric algorithms only (HMAC), 24 | since RSA and ECDSA use a private/public key combo (See below). 25 | 26 */ 27 28 'secret' => env('JWT_SECRET'), 29 30 /* 31 |-------------------------------------------------------------------------- 32 | JWT Authentication Keys 33 |-------------------------------------------------------------------------- 34 | 35 | The algorithm you are using, will determine whether your tokens are 36 | signed with a random string (defined in `JWT_SECRET`) or using the 37 | following public & private keys. 38 | 39 | Symmetric Algorithms: 40 | HS256, HS384 & HS512 will use `JWT_SECRET`. 41 | 42 | Asymmetric Algorithms: 43 | RS256, RS384 & RS512 / ES256, ES384 & ES512 will use the keys below. 44 | 45 */ 46 47 'keys' => [ 48 49 /* 50 |-------------------------------------------------------------------------- 51 | Public Key 52 |-------------------------------------------------------------------------- 53 | 54 | A path or resource to your public key. 55 | 56 | E.g. 'file://path/to/public/key' 57 | 58 */ 59 60 'public' => env('JWT_PUBLIC_KEY'), 61 62 /* 63 |-------------------------------------------------------------------------- 64 | Private Key 65 |-------------------------------------------------------------------------- 66 | 67 | A path or resource to your private key. 68 | 69 | E.g. 'file://path/to/private/key' 70 | 71 */ 72 73 'private' => env('JWT_PRIVATE_KEY'), 74 75 /* 76 |-------------------------------------------------------------------------- 77 | Passphrase 78 |-------------------------------------------------------------------------- 79 | 80 | The passphrase for your private key. Can be null if none set. 81 | 82 */ 83 84 'passphrase' => env('JWT_PASSPHRASE'), 85 86 ], 87 88 /* 89 |-------------------------------------------------------------------------- 90 | JWT time to live 91 |-------------------------------------------------------------------------- 92 | 93 | Specify the length of time (in minutes) that the token will be valid for. 94 | Defaults to 1 hour. 95 | 96 | You can also set this to null, to yield a never expiring token. 97 | Some people may want this behaviour for e.g. a mobile app. 98 | This is not particularly recommended, so make sure you have appropriate 99 | systems in place to revoke the token if necessary. 100 | Notice: If you set this to null you should remove 'exp' element from 'required_claims' list. 101 | 102 */ 103 104 'ttl' => env('JWT_TTL', 60), 105 106 /* 107 |-------------------------------------------------------------------------- 108 | Refresh time to live 109 |-------------------------------------------------------------------------- 110 | 111 | Specify the length of time (in minutes) that the token can be refreshed 112 | within. I.E. The user can refresh their token within a 2 week window of 113 | the original token being created until they must re-authenticate. 114 | Defaults to 2 weeks. 115 | 116 | You can also set this to null, to yield an infinite refresh time. 117 | Some may want this instead of never expiring tokens for e.g. a mobile app. 118 | This is not particularly recommended, so make sure you have appropriate 119 | systems in place to revoke the token if necessary. 120 | 121 */ 122 123 'refresh_ttl' => env('JWT_REFRESH_TTL', 20160), 124 125 /* 126 |-------------------------------------------------------------------------- 127 | JWT hashing algorithm 128 |-------------------------------------------------------------------------- 129 | 130 | Specify the hashing algorithm that will be used to sign the token. 131 | 132 */ 133 134 'algo' => env('JWT_ALGO', Tymon\JWTAuth\Providers\JWT\Provider::ALGO_HS256), 135 136 /* 137 |-------------------------------------------------------------------------- 138 | Required Claims 139 |-------------------------------------------------------------------------- 140 | 141 | Specify the required claims that must exist in any token. 142 | A TokenInvalidException will be thrown if any of these claims are not 143 | present in the payload. 144 | 145 */ 146 147 'required_claims' => [ 148 'iss', 149 'iat', 150 'exp', 151 'nbf', 152 'sub', 153 'jti', 154 ], 155 156 /* 157 |-------------------------------------------------------------------------- 158 | Persistent Claims 159 |-------------------------------------------------------------------------- 160 | 161 | Specify the claim keys to be persisted when refreshing a token. 162 | `sub` and `iat` will automatically be persisted, in 163 | addition to the these claims. 164 | 165 | Note: If a claim does not exist then it will be ignored. 166 | 167 */ 168 169 'persistent_claims' => [ 170 // 'foo', 171 // 'bar', 172 ], 173 174 /* 175 |-------------------------------------------------------------------------- 176 | Lock Subject 177 |-------------------------------------------------------------------------- 178 | 179 | This will determine whether a `prv` claim is automatically added to 180 | the token. The purpose of this is to ensure that if you have multiple 181 | authentication models e.g. `App\User` & `App\OtherPerson`, then we 182 | should prevent one authentication request from impersonating another, 183 | if 2 tokens happen to have the same id across the 2 different models. 184 | 185 | Under specific circumstances, you may want to disable this behaviour 186 | e.g. if you only have one authentication model, then you would save 187 | a little on token size. 188 | 189 */ 190 191 'lock_subject' => true, 192 193 /* 194 |-------------------------------------------------------------------------- 195 | Leeway 196 |-------------------------------------------------------------------------- 197 | 198 | This property gives the jwt timestamp claims some "leeway". 199 | Meaning that if you have any unavoidable slight clock skew on 200 | any of your servers then this will afford you some level of cushioning. 201 | 202 | This applies to the claims `iat`, `nbf` and `exp`. 203 | 204 | Specify in seconds - only if you know you need it. 205 | 206 */ 207 208 'leeway' => env('JWT_LEEWAY', 0), 209 210 /* 211 |-------------------------------------------------------------------------- 212 | Blacklist Enabled 213 |-------------------------------------------------------------------------- 214 | 215 | In order to invalidate tokens, you must have the blacklist enabled. 216 | If you do not want or need this functionality, then set this to false. 217 | 218 */ 219 220 'blacklist_enabled' => env('JWT_BLACKLIST_ENABLED', true), 221 222 /* 223 | ------------------------------------------------------------------------- 224 | Blacklist Grace Period 225 | ------------------------------------------------------------------------- 226 | 227 | When multiple concurrent requests are made with the same JWT, 228 | it is possible that some of them fail, due to token regeneration 229 | on every request. 230 | 231 | Set grace period in seconds to prevent parallel request failure. 232 | 233 */ 234 235 'blacklist_grace_period' => env('JWT_BLACKLIST_GRACE_PERIOD', 0), 236 237 /* 238 |-------------------------------------------------------------------------- 239 | Cookies encryption 240 |-------------------------------------------------------------------------- 241 | 242 | By default Laravel encrypt cookies for security reason. 243 | If you decide to not decrypt cookies, you will have to configure Laravel 244 | to not encrypt your cookie token by adding its name into the $except 245 | array available in the middleware "EncryptCookies" provided by Laravel. 246 | see https://laravel.com/docs/master/responses#cookies-and-encryption 247 | for details. 248 | 249 | Set it to true if you want to decrypt cookies. 250 | 251 */ 252 253 'decrypt_cookies' => false, 254 255 /* 256 |-------------------------------------------------------------------------- 257 | Providers 258 |-------------------------------------------------------------------------- 259 | 260 | Specify the various providers used throughout the package. 261 | 262 */ 263 264 'providers' => [ 265 266 /* 267 |-------------------------------------------------------------------------- 268 | JWT Provider 269 |-------------------------------------------------------------------------- 270 | 271 | Specify the provider that is used to create and decode the tokens. 272 | 273 */ 274 275 'jwt' => Tymon\JWTAuth\Providers\JWT\Lcobucci::class, 276 277 /* 278 |-------------------------------------------------------------------------- 279 | Authentication Provider 280 |-------------------------------------------------------------------------- 281 | 282 | Specify the provider that is used to authenticate users. 283 | 284 */ 285 286 'auth' => Tymon\JWTAuth\Providers\Auth\Illuminate::class, 287 288 /* 289 |-------------------------------------------------------------------------- 290 | Storage Provider 291 |-------------------------------------------------------------------------- 292 | 293 | Specify the provider that is used to store tokens in the blacklist. 294 | 295 */ 296 297 'storage' => Tymon\JWTAuth\Providers\Storage\Illuminate::class, 298 299 ], 300 301 ];