Merge branch 'main' into main

Author: bshaffer

CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## [6.11.1](https://github.com/firebase/php-jwt/compare/v6.11.0...v6.11.1) (2025-04-09)
+
+
+### Bug Fixes
+
+* update error text for consistency ([#528](https://github.com/firebase/php-jwt/issues/528)) ([c11113a](https://github.com/firebase/php-jwt/commit/c11113afa13265e016a669e75494b9203b8a7775))
+
+## [6.11.0](https://github.com/firebase/php-jwt/compare/v6.10.2...v6.11.0) (2025-01-23)
+
+
+### Features
+
+* support octet typed JWK ([#587](https://github.com/firebase/php-jwt/issues/587)) ([7cb8a26](https://github.com/firebase/php-jwt/commit/7cb8a265fa81edf2fa6ef8098f5bc5ae573c33ad))
+
+
+### Bug Fixes
+
+* refactor constructor Key to use PHP 8.0 syntax ([#577](https://github.com/firebase/php-jwt/issues/577)) ([29fa2ce](https://github.com/firebase/php-jwt/commit/29fa2ce9e0582cd397711eec1e80c05ce20fabca))
+
 ## [6.10.2](https://github.com/firebase/php-jwt/compare/v6.10.1...v6.10.2) (2024-11-24)
 
 

README.md

@@ -48,7 +48,8 @@ $decoded = JWT::decode($jwt, new Key($key, 'HS256'));
 print_r($decoded);
 
 // Pass a stdClass in as the third parameter to get the decoded header values
-$decoded = JWT::decode($jwt, new Key($key, 'HS256'), $headers = new stdClass());
+$headers = new stdClass();
+$decoded = JWT::decode($jwt, new Key($key, 'HS256'), $headers);
 print_r($headers);
 
 /*
@@ -290,7 +291,7 @@ $jwks = ['keys' => []];
 
 // JWK::parseKeySet($jwks) returns an associative array of **kid** to Firebase\JWT\Key
 // objects. Pass this as the second parameter to JWT::decode.
-JWT::decode($payload, JWK::parseKeySet($jwks));
+JWT::decode($jwt, JWK::parseKeySet($jwks));
 ```
 
 Using Cached Key Sets
@@ -349,7 +350,7 @@ use InvalidArgumentException;
 use UnexpectedValueException;
 
 try {
-    $decoded = JWT::decode($payload, $keys);
+    $decoded = JWT::decode($jwt, $keys);
 } catch (InvalidArgumentException $e) {
     // provided key/key-array is empty or malformed.
 } catch (DomainException $e) {
@@ -379,7 +380,7 @@ like this:
 use Firebase\JWT\JWT;
 use UnexpectedValueException;
 try {
-    $decoded = JWT::decode($payload, $keys);
+    $decoded = JWT::decode($jwt, $keys);
 } catch (LogicException $e) {
     // errors having to do with environmental setup or malformed JWT Keys
 } catch (UnexpectedValueException $e) {
@@ -394,7 +395,7 @@ instead, you can do the following:
 
 ```php
 // return type is stdClass
-$decoded = JWT::decode($payload, $keys);
+$decoded = JWT::decode($jwt, $keys);
 
 // cast to array
 $decoded = json_decode(json_encode($decoded), true);

src/JWK.php

@@ -210,6 +210,12 @@ public static function parseKey(array $jwk, ?string $defaultAlg = null): ?Key
                 // This library works internally with EdDSA keys (Ed25519) encoded in standard base64.
                 $publicKey = JWT::convertBase64urlToBase64($jwk['x']);
                 return new Key($publicKey, $jwk['alg']);
+            case 'oct':
+                if (!isset($jwk['k'])) {
+                    throw new UnexpectedValueException('k not set');
+                }
+
+                return new Key(JWT::urlsafeB64Decode($jwk['k']), $jwk['alg']);
             default:
                 break;
         }

src/JWT.php

@@ -181,7 +181,7 @@ public static function decode(
         // token can actually be used. If it's not yet that time, abort.
         if (isset($payload->nbf) && floor($payload->nbf) > ($timestamp + static::$leeway)) {
             $ex = new BeforeValidException(
-                'Cannot handle token with nbf prior to ' . \date(DateTime::ISO8601, (int) $payload->nbf),
+                'Cannot handle token with nbf prior to ' . \date(DateTime::ATOM, (int) floor($payload->nbf))
                 JwtExceptionInterface::NBF_PRIOR_TO_DATE
             );
             $ex->setPayload($payload);
@@ -193,7 +193,7 @@ public static function decode(
         // correctly used the nbf claim).
         if (!isset($payload->nbf) && isset($payload->iat) && floor($payload->iat) > ($timestamp + static::$leeway)) {
             $ex = new BeforeValidException(
-                'Cannot handle token with iat prior to ' . \date(DateTime::ISO8601, (int) $payload->iat),
+                'Cannot handle token with iat prior to ' . \date(DateTime::ATOM, (int) floor($payload->iat))
                 JwtExceptionInterface::IAT_PRIOR_TO_DATE
             );
             $ex->setPayload($payload);

tests/JWKTest.php

@@ -170,6 +170,31 @@ public function testDecodeByMultiJwkKeySet()
         $this->assertSame('bar', $result->sub);
     }
 
+    public function testDecodeByOctetJwkKeySet()
+    {
+        $jwkSet = json_decode(
+            file_get_contents(__DIR__ . '/data/octet-jwkset.json'),
+            true
+        );
+        $keys = JWK::parseKeySet($jwkSet);
+        $payload = ['sub' => 'foo', 'exp' => strtotime('+10 seconds')];
+        foreach ($keys as $keyId => $key) {
+            $msg = JWT::encode($payload, $key->getKeyMaterial(), $key->getAlgorithm(), $keyId);
+            $result = JWT::decode($msg, $keys);
+
+            $this->assertSame('foo', $result->sub);
+        }
+    }
+
+    public function testOctetJwkMissingK()
+    {
+        $this->expectException(UnexpectedValueException::class);
+        $this->expectExceptionMessage('k not set');
+
+        $badJwk = ['kty' => 'oct', 'alg' => 'HS256'];
+        $keys = JWK::parseKeySet(['keys' => [$badJwk]]);
+    }
+
     public function testParseKey()
     {
         // Use a known module and exponent, and ensure it parses as expected

tests/data/octet-jwkset.json

@@ -0,0 +1,22 @@
+{
+    "keys": [
+        {
+            "kty": "oct",
+            "alg": "HS256",
+            "kid": "jwk1",
+            "k": "xUNfVvQ-WdmXB9qp6qK0SrG-yKW4AJqmcSP66Gm2TrE"
+        },
+        {
+            "kty": "oct",
+            "alg": "HS384",
+            "kid": "jwk2",
+            "k": "z7990HoD72QDX9JKqeQc3l7EtXutco72j2YulZMjeakFVDbFGXGDFG4awOF7eu9l"
+        },
+        {
+            "kty": "oct",
+            "alg": "HS512",
+            "kid": "jwk3",
+            "k": "EmYGSDG5W1UjkPIL7LelG-QMVtsXn7bz5lUxBrkqq3kdFEzkLWVGrXKpZxRe7YcApCe0d4s9lXRQtn5Nzaf49w"
+        }
+    ]
+}