Skip to main content

Modifying JWTs

Payload

By default, the following data is encoded into JWT payloads:

{
  "iss": "CraftCMS",
  "iat": 1607255926,
  "exp": 1607257726,
  "sub": "21",
  "fullName": "James Edmonston",
  "email": "james@testingthings.com",
  "groups": ["User"],
  "schema": "User",
  "admin": "0"
}

You are free to add any additional data that might be useful to you! To do so, you can use the JwtCreateEvent event.

Here's an example module that adds the user's username into the payload:

<?php

namespace modules;

use jamesedmonston\graphqlauthentication\events\JwtCreateEvent;
use jamesedmonston\graphqlauthentication\services\TokenService;
use yii\base\Module;
use yii\base\Event;

class ModifyJwt extends Module
{
    public function init()
    {
        parent::init();

        Event::on(
            TokenService::class,
            TokenService::EVENT_BEFORE_CREATE_JWT,
            [$this, 'addJwtClaims']
        );
    }

    public function addJwtClaims(JwtCreateEvent $event)
    {
        $builder = $event->builder;
        $user = $event->user;
        $builder->withClaim('username', $user->username);
    }
}

The payload would now be as follows:

{
  "iss": "CraftCMS",
  "iat": 1607255926,
  "exp": 1607257726,
  "sub": "21",
  "fullName": "James Edmonston",
  "email": "james@testingthings.com",
  "groups": ["User"],
  "schema": "User",
  "admin": "0",
  "username": "jamesedmonston"
}

Validation

By default, JWTs are validated using the JWT Secret Key field you set up in settings. If they're not signed using the same key, it will throw an invalid token error.

You are free to modify the JWT validation steps to suit your needs. To do so, you can use the JwtValidateEvent event.

Here's an example module that adds an IssuedBy validator:

<?php

namespace modules;

use jamesedmonston\graphqlauthentication\events\JwtValidateEvent;
use jamesedmonston\graphqlauthentication\services\TokenService;
use Lcobucci\JWT\Validation\Constraint\IssuedBy;
use yii\base\Module;
use yii\base\Event;

class ModifyJwt extends Module
{
    public function init()
    {
        parent::init();

        Event::on(
            TokenService::class,
            TokenService::EVENT_BEFORE_VALIDATE_JWT,
            [$this, 'validateJwt']
        );
    }

    public function validateJwt(JwtValidateEvent $event)
    {
        $config = $event->config;
        $validator = new IssuedBy('Custom Validator');
        $config->setValidationConstraints($validator);
    }
}