Skip to content

Commit 1dc8675

Browse files
SvenRtbglcobucci
SvenRtbg
authored and
lcobucci
committed
Update migration guide with details for audience claims
1 parent b80c487 commit 1dc8675

File tree

1 file changed

+111
-0
lines changed

1 file changed

+111
-0
lines changed

docs/upgrading.md

Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,33 @@ We're building on the version `v3.4.0` a forward compatibility layer to help use
1010
To help on the migration process, all deprecated components are being marked with `@deprecated` and deprecated behaviour will trigger a `E_USER_DEPRECATED` error.
1111
However, you can also find here the instructions on how to make your code compatible with both versions.
1212

13+
### General migration strategy
14+
15+
Update your existing software to the latest 3.4.x version using composer:
16+
17+
```sh
18+
composer require lcobucci/jwt ^3.4
19+
```
20+
21+
Then run your tests and fix all deprecation notices.
22+
Also change all calls to deprecated methods, even if they are not triggering any notices.
23+
Tools like [`phpstan/phpstan-deprecation-rules`](https://github.com/phpstan/phpstan-deprecation-rules) can help finding them.
24+
25+
Note that PHPUnit tests will only fail if you have the `E_USER_DEPRECATED` error level activated - it is a good practice to run tests using `E_ALL`.
26+
Data providers that trigger deprecation messages will not fail tests at all, only print the message to the console.
27+
Make sure you do not see any of them before you continue.
28+
29+
Now you can upgrade to the latest 4.x version:
30+
31+
```sh
32+
composer require lcobucci/jwt ^4.0
33+
```
34+
35+
Remember that some deprecation messages from the 3.4 version may have notified you that things still are different in 4.0, so you may find you need to adapt your own code once more at this stage.
36+
37+
While you are at it, consider using the new configuration object.
38+
The details are listed below.
39+
1340
### Inject the configuration object instead of builder/parser/key
1441

1542
This object serves as a small service locator that centralises the JWT-related dependencies.
@@ -151,6 +178,90 @@ Here's the migration:
151178
+ ->getToken($config->signer(), $config->signingKey());
152179
```
153180

181+
#### Support for multiple audiences
182+
183+
Even though we didn't officially support multiple audiences, it was technically possible to achieve that by manually setting the `aud` claim to an array with multiple strings.
184+
185+
If you parse a token with 3.4, and read its contents with `\Lcobucci\JWT\Token#getClaim()` or`\Lcobucci\JWT\Token#getClaims()`, you will only get the first element of such an array back.
186+
If the audience claim does only contain a string, or only contains one string in the array, nothing changes.
187+
Please [upgrade to the new Token API](#use-the-new-token-api) for accessing claims in order to get the full audience array again (e.g. call `Token#claims()->get('aud')`).
188+
189+
When creating a token, use the new method `Builder#permittedFor()` as detailed below.
190+
191+
##### Multiple calls to `Builder#permittedFor()`
192+
193+
```diff
194+
<?php
195+
declare(strict_types=1);
196+
197+
namespace Me\MyApp\Authentication;
198+
199+
-use Lcobucci\JWT\Builder;
200+
+use Lcobucci\JWT\Configuration;
201+
+use Lcobucci\JWT\Signer\Key\InMemory;
202+
use Lcobucci\JWT\Signer\Hmac\Sha256;
203+
204+
+$config = Configuration::forSymmetricSigner(new Sha256(), InMemory::plainText('testing'));
205+
206+
-$token = (new Builder())
207+
+$token = $config->builder()
208+
- ->withClaim('aud', ['one', 'two', 'three'])
209+
+ ->permittedFor('one')
210+
+ ->permittedFor('two')
211+
+ ->permittedFor('three')
212+
- ->sign(new Sha256(), 'testing')
213+
- ->getToken();
214+
+ ->getToken($config->signer(), $config->signingKey());
215+
```
216+
217+
##### Single call to `Builder#permittedFor()` with multiple arguments
218+
219+
```diff
220+
<?php
221+
declare(strict_types=1);
222+
223+
namespace Me\MyApp\Authentication;
224+
225+
-use Lcobucci\JWT\Builder;
226+
+use Lcobucci\JWT\Configuration;
227+
+use Lcobucci\JWT\Signer\Key\InMemory;
228+
use Lcobucci\JWT\Signer\Hmac\Sha256;
229+
230+
+$config = Configuration::forSymmetricSigner(new Sha256(), InMemory::plainText('testing'));
231+
232+
-$token = (new Builder())
233+
+$token = $config->builder()
234+
- ->withClaim('aud', ['one', 'two', 'three'])
235+
+ ->permittedFor('one', 'two', 'three')
236+
- ->sign(new Sha256(), 'testing')
237+
- ->getToken();
238+
+ ->getToken($config->signer(), $config->signingKey());
239+
```
240+
241+
##### Single call to `Builder#permittedFor()` with argument unpacking
242+
243+
```diff
244+
<?php
245+
declare(strict_types=1);
246+
247+
namespace Me\MyApp\Authentication;
248+
249+
-use Lcobucci\JWT\Builder;
250+
+use Lcobucci\JWT\Configuration;
251+
+use Lcobucci\JWT\Signer\Key\InMemory;
252+
use Lcobucci\JWT\Signer\Hmac\Sha256;
253+
254+
+$config = Configuration::forSymmetricSigner(new Sha256(), InMemory::plainText('testing'));
255+
256+
-$token = (new Builder())
257+
+$token = $config->builder()
258+
- ->withClaim('aud', ['one', 'two', 'three'])
259+
+ ->permittedFor(...['one', 'two', 'three'])
260+
- ->sign(new Sha256(), 'testing')
261+
- ->getToken();
262+
+ ->getToken($config->signer(), $config->signingKey());
263+
```
264+
154265
### Replace `Token#verify()` and `Token#validate()` with Validation API
155266

156267
These methods were quite limited and brings multiple responsibilities to the `Token` class.

0 commit comments

Comments
 (0)