Skip to content
Vendidit Auth

JwtValidator

class Vendidit\AuthServer\Tokens\JwtValidator Source: src/Tokens/JwtValidator.php

Local HS256 access-token validator.

Validation order (mirroring auth-server/internal/auth/jwt/service.go ValidateAccessToken):

  1. Decode JWT with active secret.

    • On SignatureInvalid + previous-slot configured, retry once with previous secret. Any other failure is final (parity with parseWithRotation, jwt/service.go ~190).
    • Audience + issuer enforced via firebase/php-jwt.

  2. Reject refresh tokens — they MUST NOT authenticate requests (auth-server-client TokenValidatorService:58-60).

  3. Optional revocation gate (when a RevocationCache is wired):

    • jti blacklist → TokenRevokedException
    • per-user token-version (tv) < current → TokenRevokedException Both fail-open on backend errors (matches Go server NoOpTokenCache).

  4. Build typed Principal:

    • token_type === ‘service’ → ServicePrincipal
    • else → UserPrincipal

Note: firebase/php-jwt’s audience/issuer enforcement requires the claims to be present on the token. The Go server always emits both via the jwt.RegisteredClaims embed in TokenClaims (claims.go line 11).