v6.5.0

6.5.0 (2023-05-12)

Bug Fixes

• allow KID of '0' (#505) (9dc46a9)

Miscellaneous Chores

• drop support for PHP 7.3 (#495)

v6.4.0

6.4.0 (2023-02-08)

Features

• add support for W3C ES256K (#462) (213924f)
• improve caching by only decoding jwks when necessary (#486) (78d3ed1)

v6.3.2

6.3.2 (2022-11-01)

Bug Fixes

• check kid before using as array index (bad1b04)

v6.3.1

6.3.1 (2022-11-01)

Bug Fixes

• casing of GET for PSR compat (#451) (60b52b7)
• string interpolation format for php 8.2 (#446) (2e07d8a)

v6.3.0

Features

• Added ES256 support to JWK parsing (#399)

Bug Fixes

• Fixed potential caching error in CachedKeySet by caching jwks as strings (#435)

v6.2.0

Features

1. Added Cached Key Sets (#397)!! See the README for usage instructions

2. Added $defaultAlg parameter to JWT::parseKey and JWT::parseKeySet (#426). This will allow users to parse JWKS which do not populate the alg parameter without having to manually edit the JSON.

v6.1.2

Bug Fix

• revert the flag to json_decode to force object (#420)

Note: This fixes the PHP Fatal error the previous version tried to fix, but does so in a safer way.

v6.1.1

Bug Fixes

Add flag to json_decode to force object (#416)

Note: This technically breaks backwards compatibility, but it fixes a PHP Fatal error in the current release on JWT::decode which also broke backwards compatibility, so we hope it's justified 🤞

v6.1.0

Note: There should be no issues with backwards compatibility unless types were being used incorrectly

• This version is compatible with PHP >= 7.1
• Drop support for PHP 5.3, 5.4, 5.5, 5.6, and 7.0
• Add parameter typing and return types
• Better PHPDoc / IDE support

v6.0.0

Note: This version is compatible with PHP >= 5.3

Backwards Compatibility Breaking Changes

• The second argument of JWT::decode now must be Firebase\JWT\Key or array<string, Firebase\JWT\Key> (see #376)
• The return type of Firebase\JWT\JWK::parseKey is now Firebase\JWT\Key (see #392)
• The return type of Firebase\JWT\JWK::parseKeySet is now array<string, Firebase\JWT\Key> (see #376)
• The "alg" parameter is required to be set for all JWKS parsed using Firebase\JWT\JWK::parseKeySet (see #376)
• The flag JSON_UNESCAPED_SLASHES is now used for JSON decoding (see #376)
• Constants ASN1_INTEGER, ASN1_SEQUENCE, and ASN1_BIT_STRING have been removed (see #376)
• JWT::encode requires third argument $alg (see #377)
• JWT::sign requires third argument $alg (see #377)

Using Firebase\JWT\Key

Using the Key object in JWT::decode

As a security fix, to avoid key type confusion (see #351), use of Firebase\JWT\Key is now required when decoding:

use Firebase\JWT\JWT;

// previous (v5.5.1 and below)
$decoded = JWT::decode($jwt, $publicKey, 'RS256');

// new (v6.0.0)
use Firebase\JWT\Key;
$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));

And when you have more than one key, the second argument can be an array of Key objects:

use Firebase\JWT\JWT;

// previous (v5.5.1 and below)
$decoded = JWT::decode($jwt, [$publicKey1, $publicKey2], 'RS256');

// new (v6.0.0)
use Firebase\JWT\Key;
$decoded = JWT::decode($jwt, [
    'kid1' => new Key($publicKey1, 'RS256'),
    'kid2' => new Key($publicKey2, 'RS256')
]);  

Note: When providing multiple keys, you must provide the matching $kid as the fourth parameter
to the JWT::encode function

Using the Key object in JWK::parseKey and JWK::parseKeySet

Calls to JWK::parseKey and JWK::parseKeySet now return a Key object and an array
of Key objects respectively.

use Firebase\JWT\JWK;

// previous (v5.5.1 and below)
$key = JWK::parseKey($jwk); // $key is a resource
$keys = JWK::parseKeySet($jwks); // $keys is an associative array key ID to resources

// new (v6.0.0)
$key = JWK::parseKey($jwk); // $key is a Key object
$keys = JWK::parseKeySet($jwks); // $keys is an associative array of key ID to Key objects

If the keys in your JWKS do not contain the "alg", you need to set it manually to the expected algorithm, for it to be able to parse successfully:

// new (v6.0.0) for JWKS which do not contain "alg"
foreach ($jwks as $k => $jwks) {
    $jwks[$k]['alg'] = 'RS256'; // the expected alg of your JWKS
}
$keys = JWK::parseKeySet($jwks); // $keys is an associative array of key ID to Key objects