Skip to content
/ jwt-webauthn-php Public

Utilizing JWT & WebAuthn together in PHP REST API

License

View license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

wnelson03/jwt-webauthn-php

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
api
api
 
 
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.html
index.html
 
 
login.html
login.html
 
 
register.html
register.html
 
 
schema.sql
schema.sql
 
 
securityKey.html
securityKey.html
 
 
webauthn.js
webauthn.js
 
 

Repository files navigation

JWT & WebAuthn demo

Utilizing JWT & WebAuthn together in a backend API.

Didn't use Redis for this, since I wanted it to work out-of-the-box for people lacking the PHPRedis extension.

On a live website, Redis or Memcached should be employed to cache data from database, and to blacklist JWT tokens on logout/password reset.

Showcase

jwt-webauthn-php.mp4

Requirements

PHP >= 8.0.0

MySQL Server with mysqlnd

Setup

Import schema.sql into MySQL or MariaDB and you can run the demo.

For a live website, make sure to change credentials first.

Privacy

Emails are hashed with SHA1 so that the operator can't see plain-text emails.

No model name or serial numbers are collected for WebAuthn. The operator can't tell if you're using YubiKey or SoloKey, or any other WebAuthn-compatible device

Database sample

Accounts table:

id email password securityKey
21 26bead3658ccd9d4598bdca509f9b42cf6b8a3f5 $2y$10$s... 1

securitykeys table:

id account credentialId credentialPublicKey
3 21 WJTV6t9GmYgGVS8h2OHkZkPGeqUECCe3xOc5sds6WCpMSi8r+9oWZsIdQiEp/nFUkGnv2PqPaZ9ezs6wnGDfkQ== -----BEGIN PUBLIC KEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoTQh+4LXNHgMEtAgLrrkJBdFXPoZtciHcs+dJbKA7O/GYdIyfI92Pa8RMoHTCE5EuMp2XkqdxUgTmiq+Ao6AMw==-----END PUBLIC KEY-----

JWT sample

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MjEsImF1dGgiOnRydWUsIm1mYSI6bnVsbCwiZW1haWwiOiIyNmJlYWQzNjU4Y2NkOWQ0NTk4YmRjYTUwOWY5YjQyY2Y2YjhhM2Y1In0.065m3mWiufxgUDSj2VUAGS3x4bwW6KLcFBs1shJCrlA

Decoded

{"typ":"JWT","alg":"HS256"}{"id":21,"auth":true,"mfa":null,"email":"26bead3658ccd9d4598bdca509f9b42cf6b8a3f5"}<signatureHere>

Credentials

In a live website, these credentials should be changed and stored in a seperate configuration file such as credentials.php, and then you add credentials.php to the .gitignore and make a credentials.example.php for public use.

Another way would be setting the credentials via FastCGI Params in nginx, to create further seperation between the credentials and the source code.

JWT Secret

jwt-webauthn-php/api/main.php

Line 15 in ebffedc

$session = Firebase\JWT\JWT::decode($_COOKIE[$this->sessionName], new Firebase\JWT\Key('yWvati2Z94ZV6XFaSwC7gqdsabtTYHqMnzWB7o58AvCXHkheS8ANfHLKTTwXE9cXHg7GH2bSb9q95Lo2He9XDWtqDBwJzvKFbX8ymeLPkhFQkJxF8GDbmpRUfeXctiLi', 'HS256'));

jwt-webauthn-php/api/main.php

Line 29 in ebffedc

$encoded = Firebase\JWT\JWT::encode($payload, 'yWvati2Z94ZV6XFaSwC7gqdsabtTYHqMnzWB7o58AvCXHkheS8ANfHLKTTwXE9cXHg7GH2bSb9q95Lo2He9XDWtqDBwJzvKFbX8ymeLPkhFQkJxF8GDbmpRUfeXctiLi', 'HS256');

MySQL Server

jwt-webauthn-php/api/main.php

Line 53 in ebffedc

$db = new Database("localhost", "root", "", "jwt-webauthn-php");

jwt-webauthn-php/api/main.php

Line 79 in ebffedc

$db = new Database("localhost", "root", "", "jwt-webauthn-php");

jwt-webauthn-php/api/routing.php

Line 81 in ebffedc

$db = new Database("localhost", "root", "", "jwt-webauthn-php");

About

Utilizing JWT & WebAuthn together in PHP REST API

Topics

jwt jwt-token jwt-authentication webauthn webauthn-demo webauthn-server jwt-php webauth-php

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages