Forked from jeffski/cognito-decode-jwt-token.php
Last active
February 9, 2019 08:06
-
-
Save heri16/520ee73340857def6146809d831b10d2 to your computer and use it in GitHub Desktop.
Decode user identity from JWT Token
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Assumes https://github.com/Spomky-Labs/jose library is installed: composer require spomky-labs/jose | |
| * Check token claims guide: https://github.com/Spomky-Labs/jose/blob/master/doc/operation/Check.md | |
| */ | |
| use Jose\Checker\AudienceChecker; | |
| use Jose\Factory\CheckerManagerFactory; | |
| $claim_checker_list = [ | |
| // 'exp', // We should enable 'exp', but this example will fail as the token has already expired | |
| 'iat', | |
| 'nbf', | |
| new AudienceChecker('5vnnvqgelv3lk22n40kc6pf9pe'), | |
| ]; | |
| $checker = CheckerManagerFactory::createClaimCheckerManager($claim_checker_list, ['crit']); | |
| /** | |
| * Assumes https://github.com/Spomky-Labs/jose library is installed: composer require spomky-labs/jose | |
| * Decode and verify token guide: https://github.com/Spomky-Labs/jose/blob/master/doc/operation/Verify.md | |
| */ | |
| use Jose\Factory\JWKFactory; | |
| use Jose\Loader; | |
| // We load the key set from a URL | |
| // JSON Key URL (JKU) - https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json. | |
| // See: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-identity-user-pools-using-id-and-access-tokens-in-web-api | |
| $jku = 'https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_5SbdoqoVA/.well-known/jwks.json'; | |
| $jwk_set = JWKFactory::createFromJKU($jku); | |
| // We create our loader. | |
| $loader = new Loader(); | |
| // This is the token we want to load and verify. | |
| $token = 'eyJraWQiOiJ1K2x6NlZFWDB6QmJVcTFISDUwUXlUSk1VT0pjZGZhQ1pUd1hrUUM4MUJjPSIsImFsZyI6IlJTMjU2In0.eyJjdXN0b206a3ljU3RhdHVzIjoiYXBwcm92ZWQiLCJzdWIiOiI0NDZhZDY2Yi00YTQ1LTRlMTItYWE0Mi0zNDZjYzFjYWE3NDAiLCJ6b25laW5mbyI6Iis2MiIsImNvZ25pdG86Z3JvdXBzIjpbIlRyYWRlciJdLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiY3VzdG9tOnZhbGlkYXRlZF9yZWRpcmVjdCI6Imh0dHA6XC9cL2VxaC1jbGllbnQtZGV2LnMzLXdlYnNpdGUtdXMtZWFzdC0xLmFtYXpvbmF3cy5jb21cLyIsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC5hcC1zb3V0aGVhc3QtMS5hbWF6b25hd3MuY29tXC9hcC1zb3V0aGVhc3QtMV81U2Jkb3FvVkEiLCJwaG9uZV9udW1iZXJfdmVyaWZpZWQiOmZhbHNlLCJjb2duaXRvOnVzZXJuYW1lIjoiNDQ2YWQ2NmItNGE0NS00ZTEyLWFhNDItMzQ2Y2MxY2FhNzQwIiwiY3VzdG9tOmVycm9yX3JlZGlyZWN0IjoiaHR0cDpcL1wvZXFoLWNsaWVudC1kZXYuczMtd2Vic2l0ZS11cy1lYXN0LTEuYW1hem9uYXdzLmNvbVwvIiwiZ2l2ZW5fbmFtZSI6IlphZW51cnkiLCJjdXN0b206bnh0UHVibGljS2V5IjoiYmM4ZDI0MTY2MWQwYjFlMDg2ODFiMWQ1YzViODU1MjRlYWQ1MTk5YTljMmQ1NmExMDRhNWQzN2MyYzc1MWI3ZSIsImF1ZCI6IjV2bm52cWdlbHYzbGsyMm40MGtjNnBmOXBlIiwiY3VzdG9tOm54dEFjY291bnRJZCI6IjQ4NDA0NjY4MjU5MTc1Njk1NTQiLCJldmVudF9pZCI6IjM0MDAzZmVmLTIzOWQtMTFlOS1hYjgwLTNiN2FlOGRlMzZjNyIsInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNTQ4NzQ5MzcwLCJjdXN0b206bnh0QWNjb3VudFJTIjoiRVFILTQ4SkwtWFVOWS1MVzZMLTZDOEQ4IiwicGhvbmVfbnVtYmVyIjoiKzYyODEyMzY2MTc2MDIiLCJleHAiOjE1NDk2OTg3NzIsImlhdCI6MTU0OTY5NTE3MiwiZmFtaWx5X25hbWUiOiJBZGhpaW0iLCJlbWFpbCI6ImFkaGlpbXphZW51cnkrMTBAZ21haWwuY29tIn0.qPG2mzHHgeeni4QMnaY9bUm1jNccFc9BRBrPXsJPKLaoKZndKYZICjv7EWVMeLM0EsR7R3Th2u03b1XSzfjIfBPP5uzH35e-sdpT6mdr78w7NUdTQ-cfIuP1Rms7uvk9fR9LOBo0ecq04MYfEkaCWBK7ke-qQ9djzyPdxptW4DJtWQPLAWYQ0L0DSZSuP-GuuHWdA_-tHO4gDIbV1dA8dYyGf5E4Kg-1A8Y6JDQoDuWupWVLYjhRCx5-oVU_X9sQA6LgziMJVgCMbj0_2Av-qWWH__PBrySVrH32dCqGyuMmvCL777875Q2gUkNYNmcx1_4rl4ugF14MDVazS4BcWw'; | |
| // The signature is verified using our key set. | |
| if ($token) { | |
| try { | |
| $jws = $loader->loadAndVerifySignatureUsingKeySet( | |
| $token, | |
| $jwk_set, | |
| ['RS256'], | |
| $signature_index | |
| ); | |
| $checker->checkJWS($jws, $signature_index); | |
| $valid = $jws->getPayload(); | |
| print $valid; // contains the username, sub, expiry and other details for use in your application | |
| } catch (Exception $e) { | |
| $valid = $e->getMessage(); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Payload:
{ "sub": "446ad66b-4a45-4e12-aa42-346cc1caa740", "cognito:username": "446ad66b-4a45-4e12-aa42-346cc1caa740", "cognito:groups": [ "Trader" ], "iss": "https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_5SbdoqoVA", "aud": "5vnnvqgelv3lk22n40kc6pf9pe", "token_use": "id", "auth_time": 1548749370, "exp": 1549698772, "iat": 1549695172, "custom:nxtAccountRS": "EQH-48JL-XUNY-LW6L-6C8D8", "custom:nxtAccountId": "4840466825917569554", "custom:nxtPublicKey": "bc8d241661d0b1e08681b1d5c5b85524ead5199a9c2d56a104a5d37c2c751b7e", "custom:kycStatus": "approved", "zoneinfo": "+62", "phone_number": "+6281236617602", "phone_number_verified": false, "given_name": "Zaenury", "family_name": "Adhiim", "email": "[email protected]", "email_verified": true }