JwtTokenValidator implements AuthorizationTokenValidatorInterface
Validates JWT access tokens using JWKS from an OAuth 2.0 / OpenID Connect provider.
This validator:
- Fetches JWKS from the authorization server (auto-discovered or explicit)
- Validates signature, audience, issuer, and expiration
- Extracts scopes and claims as authorization attributes
Requires: firebase/php-jwt
Tags
Table of Contents
Interfaces
- AuthorizationTokenValidatorInterface
- Validates bearer tokens for HTTP transports.
Properties
- $algorithms : array<string|int, mixed>
- $audience : string|array<string|int, mixed>
- $issuer : string|array<string|int, mixed>
- $jwksProvider : JwksProviderInterface
- $jwksUri : string|null
- $scopeClaim : string
Methods
- __construct() : mixed
- requireScopes() : AuthorizationResult
- Validates a token has the required scopes.
- validate() : AuthorizationResult
- Validates an access token extracted from the Authorization header.
- extractScopes() : array<int, string>
- getJwks() : array<string, Key>
- validateAudience() : bool
- validateIssuer() : bool
Properties
$algorithms read-only
private
array<string|int, mixed>
$algorithms
= ['RS256', 'RS384', 'RS512']
$audience read-only
private
string|array<string|int, mixed>
$audience
$issuer read-only
private
string|array<string|int, mixed>
$issuer
$jwksProvider read-only
private
JwksProviderInterface
$jwksProvider
$jwksUri read-only
private
string|null
$jwksUri
= null
$scopeClaim read-only
private
string
$scopeClaim
= 'scope'
Methods
__construct()
public
__construct(string|array<int, string> $issuer, string|array<int, string> $audience, JwksProviderInterface $jwksProvider[, string|null $jwksUri = null ][, array<int, string> $algorithms = ['RS256', 'RS384', 'RS512'] ][, string $scopeClaim = 'scope' ]) : mixed
Parameters
- $issuer : string|array<int, string>
-
Expected token issuer(s) (e.g., "https://auth.example.com/realms/mcp")
- $audience : string|array<int, string>
-
Expected audience(s) for the token
- $jwksProvider : JwksProviderInterface
-
JWKS provider
- $jwksUri : string|null = null
-
Explicit JWKS URI (auto-discovered from first issuer if null)
- $algorithms : array<int, string> = ['RS256', 'RS384', 'RS512']
-
Allowed JWT algorithms (default: RS256, RS384, RS512)
- $scopeClaim : string = 'scope'
-
Claim name for scopes (default: "scope")
requireScopes()
Validates a token has the required scopes.
public
requireScopes(AuthorizationResult $result, array<int, string> $requiredScopes) : AuthorizationResult
Use this after validation to check specific scope requirements.
Parameters
- $result : AuthorizationResult
-
The result from validate()
- $requiredScopes : array<int, string>
-
Scopes required for this operation
Return values
AuthorizationResult —The original result if scopes are sufficient, forbidden otherwise
validate()
Validates an access token extracted from the Authorization header.
public
validate(string $accessToken) : AuthorizationResult
Parameters
- $accessToken : string
-
The bearer token (without "Bearer " prefix)
Return values
AuthorizationResult —The result of the validation
extractScopes()
private
extractScopes(array<string, mixed> $claims) : array<int, string>
Parameters
- $claims : array<string, mixed>
Return values
array<int, string>getJwks()
private
getJwks() : array<string, Key>
Return values
array<string, Key>validateAudience()
private
validateAudience(array<string, mixed> $claims) : bool
Parameters
- $claims : array<string, mixed>
Return values
boolvalidateIssuer()
private
validateIssuer(array<string, mixed> $claims) : bool
Parameters
- $claims : array<string, mixed>