-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Meta/Feedback: Change JWT library from lcobucci/jwt to web-token/jwt-framework #1142
Comments
A contributing factor could be that EDIT: The maintainer of |
Hi there, My 2 cents on this conversation. As I develop, I realized that we should not depend on an implementation or the other. Now, that’s why I try to be “framework agnostic”, whatever it is. This includes the framework I manage. As an example, I am working on a new version of the web-push lib. This library needs JWT and provides adapters for both From my POV, you should not choose between one lib or the other, but provide an elegant way to allow devs to use the one that best fit on their projects. |
At the moment, we don't have plans to replace the usage of lcobucci's JWT library. If there wasn't a PHP 8 compatible release prior to the GA we might have to revisit this decision but I understand a new release will be forthcoming soon. We primarily use the JWT library to read incoming bearer tokens. However, this can be easily replaced with another JWT lib if you wish. The If you don't want to use the BearerTokenValidator you can write your own, then pass it to the ResourceServer via its constructor. Thanks to @Spomky for taking the time to reach out to this issue and for everyone elses input regarding this. |
I'm not aware of the specific history of choosing a JWT library to use, but the conversation at #1007 (comment) leads me to ask the question, how difficult would it be to swap out
lcobucci/jwt
forweb-token/jwt-framework
?Both appear to have active development/maintainers, though neither has a particularly rapid release cadence. The main compelling reason to select a new library would be for more complete out of the box support for JWT-related RFCs, e.g. RFC 7517 for JWKs (re: the issue linked above.)
I'm not trying to create any unnecessary bikeshedding or tribalism, but if it would be "easy enough" to choose a new underlying library, we may get some advantage in rolling out new features. Thoughts?
The text was updated successfully, but these errors were encountered: