Configuration reference
Bundle configuration
Using RSA/ECDSA
1 2 3 4 5 6 7 8 9 10 11
# config/packages/lexik_jwt_authentication.yaml
#...
lexik_jwt_authentication:
secret_key: '%kernel.project_dir%/config/jwt/private.pem' # path to the secret key OR raw secret key, required for creating tokens
public_key: '%kernel.project_dir%/config/jwt/public.pem' # path to the public key OR raw public key, required for verifying tokens
pass_phrase: 'yourpassphrase' # required for creating tokens
# Additional public keys are used to verify signature of incoming tokens, if the key provided in "public_key" configuration node doesn't verify the token
additional_public_keys:
- '%kernel.project_dir%/config/jwt/public1.pem'
- '%kernel.project_dir%/config/jwt/public2.pem'
- '%kernel.project_dir%/config/jwt/public3.pem'
Using HMAC
1 2 3 4
# config/packages/lexik_jwt_authentication.yaml
#...
lexik_jwt_authentication:
secret_key: yoursecret
Full default configuration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
# config/packages/lexik_jwt_authentication.yaml
# ...
lexik_jwt_authentication:
secret_key: ~
public_key: ~
pass_phrase: ~
token_ttl: 3600 # token TTL in seconds, defaults to 1 hour
clock_skew: 0
allow_no_expiration: false # set to true to allow tokens without exp claim
# token encoding/decoding settings
encoder:
# token encoder/decoder service - default implementation based on the lcobucci/jwt library
service: lexik_jwt_authentication.encoder.lcobucci
# encryption algorithm used by the encoder service
signature_algorithm: RS256
# token extraction settings
token_extractors:
# look for a token as Authorization Header
authorization_header:
enabled: true
prefix: Bearer
name: Authorization
# check token in a cookie
cookie:
enabled: false
name: BEARER
# check token in query string parameter
query_parameter:
enabled: false
name: bearer
# check token in a cookie
split_cookie:
enabled: false
cookies:
- jwt_hp
- jwt_s
# remove the token from the response body when using cookies
remove_token_from_body_when_cookies_used: true
# invalidate the token on logout by storing it in the cache
blocklist_token:
enabled: true
cache: cache.app
Encoder configuration
service
Defaults to lexik_jwt_authentication.encoder.lcobucci
which is based
on the Lcobucci/JWT library.
For an advanced token encoding with higher encryption support, please see the Spomky-Labs/lexik-jose-bridge which is based on the great web-token/jwt-framework library.
To create your own encoder service, see the JWT encoder service customization chapter.
signature_algorithm
One of the encryption algorithms supported by the default encoder service.
- HS256, HS384, HS512 (HMAC)
- RS256, RS384, RS512 (RSA)
- ES256, ES384, ES512 (ECDSA)
Automatically generating cookies
You are now able to automatically generate secure and httpOnly cookies when the cookie token extractor is enabled #753.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
token_extractors:
cookie:
enabled: true
name: BEARER
# ...
set_cookies:
BEARER: ~
# Full config with defaults:
# BEARER:
# lifetime: null (defaults to token ttl)
# samesite: lax
# path: /
# domain: null (null means automatically set by symfony)
# secure: true (default to true)
# httpOnly: true
# partitioned: false
Automatically generating split cookies
You are also able to automatically generate split cookies. Benefits of this approach are in this post.
Set the signature cookie (jwt_s) lifetime to 0 to create session cookies.
Keep in mind, that SameSite attribute is not supported in some browsers
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
token_extractors:
split_cookie:
enabled: true
cookies:
- jwt_hp
- jwt_s
set_cookies:
jwt_hp:
lifetime: null
samesite: strict
path: /
domain: null
httpOnly: false
partitioned: false # Only for Symfony 6.4 or higher
split:
- header
- payload
jwt_s:
lifetime: 0
samesite: strict
path: /
domain: null
httpOnly: true
partitioned: false # Only for Symfony 6.4 or higher
split:
- signature
Keep the token in the body when using cookies
When using cookies the response defaults to an empty body and result code 204. It is possible to modify this behaviour.
Keep in mind, this invalidates a requirement from the previously mentioned post, namely "JavaScript/front-end should never have access to the full JWT".
1
remove_token_from_body_when_cookies_used: false
Security configuration
1 2 3 4 5 6 7 8 9 10 11 12 13
# config/packages/security.yaml
security:
enable_authenticator_manager: true # Only for Symfony 5.4
firewalls:
api:
# ...
jwt: ~ # enables the jwt authenticator
# Full config with defaults:
# jwt:
# provider: null (you can put provider here or just ignore this config)
# authenticator: lexik_jwt_authentication.security.jwt_authenticator (default jwt authenticator)
# ...
Authenticator
For more details about using custom authenticator in your application, see Extending JWT Authenticator.
Database-less User Provider
For a database-less authentication (i.e. trusting into the JWT data instead of reloading the user from the database), see "A database less user provider".