Lexikjwtauthenticationbundle: Consider swapping out the underlying JWT encoder library

Created on 14 Sep 2020  路  5Comments  路  Source: lexik/LexikJWTAuthenticationBundle

Both https://github.com/lcobucci/jwt and https://github.com/namshi/jose are is now officially deprecated. Both libraries equally recommend using firebase/jwt. Would you consider accepting a PR that will replace/supplement the two libraries? For gradual migration path, I'd recommend the following:

  1. Introduce a new JWT encoder service based on firebase/jwt in the next minor version and deprecate the existing implementation.
  2. Remove the previous implementation in the next major version.

Thoughts?

EDIT: Err, I must have opened the same link twice, only https://github.com/namshi/jose is deprecated. The other one is not. Nevertheless, we could replace it with firebase/jwt.

Most helpful comment

After analysis, I think lcobucci/jwt is definitely better for many reasons.

  • Better code design
  • Better test coverage
  • Up-to-date with recent PHP version

All 5 comments

Hello,

@chalasr, could you please give your point of view regarding this?

Thanks!

Hello,

The namshi/jose implementation is deprecated and is going to be removed in the next major of this bundle, it's not used by default.

Both libraries equally recommend using firebase/jwt.

That's wrong: in addition to being well designed, lcobucci/jwt is actively well maintained.
So, what would be the benefits of using firebase/jwt over lcobucci/jwt?

Also it seems that firebase/jwt does not support passphrases for asymmetric keys at the moment, that is a considerable issue to me.
I'm not against the idea of introducing and maintaining an optional firebase/jwt integration, but we first need to make sure it's compatible (i.e. fulfils the bundle' configuration).

Hello,

The namshi/jose implementation is deprecated and is going to be removed in the next major of this bundle, it's not used by default.

Ok good news!

Both libraries equally recommend using firebase/jwt.

That's wrong: in addition to being well designed, lcobucci/jwt is actively well maintained.

Fair enough, I didn't checked carefully yet.

So, what would be the benefits of using firebase/jwt over lcobucci/jwt?

I don't know yet, I have to check in depth, I just stumbled across this issue and wanted to have the maintainer point of view :-)
I know that firebase/php-jwt includes a JWK class that let people convert keys from JWK format, it's useful.

Also it seems that firebase/jwt does not support passphrases for asymmetric keys at the moment, that is a considerable issue to me.

No it does support it, it's just not written explicitly, see https://github.com/firebase/php-jwt/issues/318

I'm not against the idea of introducing and maintaining an optional firebase/jwt integration, but we first need to make sure it's compatible (i.e. fulfils the bundle' configuration).

Definitely !

After analysis, I think lcobucci/jwt is definitely better for many reasons.

  • Better code design
  • Better test coverage
  • Up-to-date with recent PHP version

Thanks for confirming, closing then.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ndoulgeridis picture ndoulgeridis  路  3Comments

tsdevelopment picture tsdevelopment  路  4Comments

hiromik picture hiromik  路  3Comments

Zempheroth picture Zempheroth  路  4Comments

Walkoss picture Walkoss  路  4Comments