|
@@ -0,0 +1,304 @@
|
|
|
+<?php
|
|
|
+
|
|
|
+/*
|
|
|
+ * This file is part of jwt-auth.
|
|
|
+ *
|
|
|
+ * (c) Sean Tymon <tymon148@gmail.com>
|
|
|
+ *
|
|
|
+ * For the full copyright and license information, please view the LICENSE
|
|
|
+ * file that was distributed with this source code.
|
|
|
+ */
|
|
|
+
|
|
|
+return [
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | JWT Authentication Secret
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | Don't forget to set this in your .env file, as it will be used to sign
|
|
|
+ | your tokens. A helper command is provided for this:
|
|
|
+ | `php artisan jwt:secret`
|
|
|
+ |
|
|
|
+ | Note: This will be used for Symmetric algorithms only (HMAC),
|
|
|
+ | since RSA and ECDSA use a private/public key combo (See below).
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'secret' => env('JWT_SECRET'),
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | JWT Authentication Keys
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | The algorithm you are using, will determine whether your tokens are
|
|
|
+ | signed with a random string (defined in `JWT_SECRET`) or using the
|
|
|
+ | following public & private keys.
|
|
|
+ |
|
|
|
+ | Symmetric Algorithms:
|
|
|
+ | HS256, HS384 & HS512 will use `JWT_SECRET`.
|
|
|
+ |
|
|
|
+ | Asymmetric Algorithms:
|
|
|
+ | RS256, RS384 & RS512 / ES256, ES384 & ES512 will use the keys below.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'keys' => [
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Public Key
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | A path or resource to your public key.
|
|
|
+ |
|
|
|
+ | E.g. 'file://path/to/public/key'
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'public' => env('JWT_PUBLIC_KEY'),
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Private Key
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | A path or resource to your private key.
|
|
|
+ |
|
|
|
+ | E.g. 'file://path/to/private/key'
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'private' => env('JWT_PRIVATE_KEY'),
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Passphrase
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | The passphrase for your private key. Can be null if none set.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'passphrase' => env('JWT_PASSPHRASE'),
|
|
|
+
|
|
|
+ ],
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | JWT time to live
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | Specify the length of time (in minutes) that the token will be valid for.
|
|
|
+ | Defaults to 1 hour.
|
|
|
+ |
|
|
|
+ | You can also set this to null, to yield a never expiring token.
|
|
|
+ | Some people may want this behaviour for e.g. a mobile app.
|
|
|
+ | This is not particularly recommended, so make sure you have appropriate
|
|
|
+ | systems in place to revoke the token if necessary.
|
|
|
+ | Notice: If you set this to null you should remove 'exp' element from 'required_claims' list.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'ttl' => env('JWT_TTL', 60),
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Refresh time to live
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | Specify the length of time (in minutes) that the token can be refreshed
|
|
|
+ | within. I.E. The user can refresh their token within a 2 week window of
|
|
|
+ | the original token being created until they must re-authenticate.
|
|
|
+ | Defaults to 2 weeks.
|
|
|
+ |
|
|
|
+ | You can also set this to null, to yield an infinite refresh time.
|
|
|
+ | Some may want this instead of never expiring tokens for e.g. a mobile app.
|
|
|
+ | This is not particularly recommended, so make sure you have appropriate
|
|
|
+ | systems in place to revoke the token if necessary.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'refresh_ttl' => env('JWT_REFRESH_TTL', 20160),
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | JWT hashing algorithm
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | Specify the hashing algorithm that will be used to sign the token.
|
|
|
+ |
|
|
|
+ | See here: https://github.com/namshi/jose/tree/master/src/Namshi/JOSE/Signer/OpenSSL
|
|
|
+ | for possible values.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'algo' => env('JWT_ALGO', 'HS256'),
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Required Claims
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | Specify the required claims that must exist in any token.
|
|
|
+ | A TokenInvalidException will be thrown if any of these claims are not
|
|
|
+ | present in the payload.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'required_claims' => [
|
|
|
+ 'iss',
|
|
|
+ 'iat',
|
|
|
+ 'exp',
|
|
|
+ 'nbf',
|
|
|
+ 'sub',
|
|
|
+ 'jti',
|
|
|
+ ],
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Persistent Claims
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | Specify the claim keys to be persisted when refreshing a token.
|
|
|
+ | `sub` and `iat` will automatically be persisted, in
|
|
|
+ | addition to the these claims.
|
|
|
+ |
|
|
|
+ | Note: If a claim does not exist then it will be ignored.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'persistent_claims' => [
|
|
|
+ // 'foo',
|
|
|
+ // 'bar',
|
|
|
+ ],
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Lock Subject
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | This will determine whether a `prv` claim is automatically added to
|
|
|
+ | the token. The purpose of this is to ensure that if you have multiple
|
|
|
+ | authentication models e.g. `App\User` & `App\OtherPerson`, then we
|
|
|
+ | should prevent one authentication request from impersonating another,
|
|
|
+ | if 2 tokens happen to have the same id across the 2 different models.
|
|
|
+ |
|
|
|
+ | Under specific circumstances, you may want to disable this behaviour
|
|
|
+ | e.g. if you only have one authentication model, then you would save
|
|
|
+ | a little on token size.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'lock_subject' => true,
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Leeway
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | This property gives the jwt timestamp claims some "leeway".
|
|
|
+ | Meaning that if you have any unavoidable slight clock skew on
|
|
|
+ | any of your servers then this will afford you some level of cushioning.
|
|
|
+ |
|
|
|
+ | This applies to the claims `iat`, `nbf` and `exp`.
|
|
|
+ |
|
|
|
+ | Specify in seconds - only if you know you need it.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'leeway' => env('JWT_LEEWAY', 0),
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Blacklist Enabled
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | In order to invalidate tokens, you must have the blacklist enabled.
|
|
|
+ | If you do not want or need this functionality, then set this to false.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'blacklist_enabled' => env('JWT_BLACKLIST_ENABLED', true),
|
|
|
+
|
|
|
+ /*
|
|
|
+ | -------------------------------------------------------------------------
|
|
|
+ | Blacklist Grace Period
|
|
|
+ | -------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | When multiple concurrent requests are made with the same JWT,
|
|
|
+ | it is possible that some of them fail, due to token regeneration
|
|
|
+ | on every request.
|
|
|
+ |
|
|
|
+ | Set grace period in seconds to prevent parallel request failure.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'blacklist_grace_period' => env('JWT_BLACKLIST_GRACE_PERIOD', 0),
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Cookies encryption
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | By default Laravel encrypt cookies for security reason.
|
|
|
+ | If you decide to not decrypt cookies, you will have to configure Laravel
|
|
|
+ | to not encrypt your cookie token by adding its name into the $except
|
|
|
+ | array available in the middleware "EncryptCookies" provided by Laravel.
|
|
|
+ | see https://laravel.com/docs/master/responses#cookies-and-encryption
|
|
|
+ | for details.
|
|
|
+ |
|
|
|
+ | Set it to true if you want to decrypt cookies.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'decrypt_cookies' => false,
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Providers
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | Specify the various providers used throughout the package.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'providers' => [
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | JWT Provider
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | Specify the provider that is used to create and decode the tokens.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'jwt' => Tymon\JWTAuth\Providers\JWT\Lcobucci::class,
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Authentication Provider
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | Specify the provider that is used to authenticate users.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'auth' => Tymon\JWTAuth\Providers\Auth\Illuminate::class,
|
|
|
+
|
|
|
+ /*
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ | Storage Provider
|
|
|
+ |--------------------------------------------------------------------------
|
|
|
+ |
|
|
|
+ | Specify the provider that is used to store tokens in the blacklist.
|
|
|
+ |
|
|
|
+ */
|
|
|
+
|
|
|
+ 'storage' => Tymon\JWTAuth\Providers\Storage\Illuminate::class,
|
|
|
+
|
|
|
+ ],
|
|
|
+
|
|
|
+];
|