Php rest api authorization: bearer

username) . "', '" . mysqli_real_escape_string($dbConn, $data->password) . "')";
	
	$result = dbQuery($sql);
	
	if($result) {
		echo json_encode(array('success' => 'You registered successfully'));
	} else {
		echo json_encode(array('error' => 'Something went wrong, please contact administrator'));
	}
}

//End of file

In PHP I have retrieved the JSON body parameter using the following code.

file_get_contents("php://input", true)

Finally I have decoded the JSON parameters to access as an object using the function json_decode().

Here is an example on how to register a new user. You can use any REST client to register or create a new user.

Http Method - POST
URL - http://localhost/php-jwt-rest-authentication/register.php
Request Body - {"username":"roy", "password":"roy"}
Header - Content-Type:application/json
Response - {"success":"You registered successfully"}

User Login

The registered user will be able to login to the application and will get the generated JWT. Then this generated JWT will be used to access designated REST APIs over http protocol.

The JWT is valid only for 60 seconds or 1 minute, please change to suit your requirements.

Create a file login.php with the following source code:

username) . "' AND password = '" . mysqli_real_escape_string($dbConn, $data->password) . "' LIMIT 1";
	
	$result = dbQuery($sql);
	
	if(dbNumRows($result) < 1) {
		echo json_encode(array('error' => 'Invalid User'));
	} else {
		$row = dbFetchAssoc($result);
		
		$username = $row['username'];
		
		$headers = array('alg'=>'HS256','typ'=>'JWT');
		$payload = array('username'=>$username, 'exp'=>(time() + 60));

		$jwt = generate_jwt($headers, $payload);
		
		echo json_encode(array('token' => $jwt));
	}
}

//End of file

Here is an example on how to login and get the generated JWT:

Http Method - POST
URL - http://localhost/php-jwt-rest-authentication/login.php
Request Body - {"username":"roy", "password":"roy"}
Header - Content-Type:application/json
Response - {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InJveSIsImV4cCI6MTU4MjYyMDY1OX0.EMTwnke-M5PXV3LEEUveZLcvvi7pQmGUbWMAj2KeR94"}

Access REST API

Now I will use the generated JWT to access the REST API that list all users from the MySQL database table to the user who is having valid JWT.

I accept HTTP method GET and allow access to anyone.

Create a file users.php with the following source code:

 'Access denied'));
}

//End of file

Here is an example on how to access the REST API:

Http Method - GET
URL - http://localhost/php-jwt-rest-authentication/users.php
Request Body - {"username":"roy", "password":"roy"}
Header - Authorization:Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InJveSIsImV4cCI6MTU4MjYyMDY1OX0.EMTwnke-M5PXV3LEEUveZLcvvi7pQmGUbWMAj2KeR94
Response - [{"id":"1","username":"roy","password":"roy"},{"id":"2","username":"soumitra","password":"roy"}]

In the above response you see two users because I have registered two users but I had shown only one user during registration process.

JWT Generation and Validation

The below PHP script defines the required functions to generate, validate JWT and extract the Bearer token from Authorization header of http request.

exp;
	$is_token_expired = ($expiration - time()) < 0;

	// build a signature based on the header and payload using the secret
	$base64_url_header = base64url_encode($header);
	$base64_url_payload = base64url_encode($payload);
	$signature = hash_hmac('SHA256', $base64_url_header . "." . $base64_url_payload, $secret, true);
	$base64_url_signature = base64url_encode($signature);

	// verify it matches the signature provided in the jwt
	$is_signature_valid = ($base64_url_signature === $signature_provided);
	
	if ($is_token_expired || !$is_signature_valid) {
		return FALSE;
	} else {
		return TRUE;
	}
}

function base64url_encode($data) {
    return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}

function get_authorization_header(){
	$headers = null;
	
	if (isset($_SERVER['Authorization'])) {
		$headers = trim($_SERVER["Authorization"]);
	} else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
		$headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
	} else if (function_exists('apache_request_headers')) {
		$requestHeaders = apache_request_headers();
		// Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
		$requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
		//print_r($requestHeaders);
		if (isset($requestHeaders['Authorization'])) {
			$headers = trim($requestHeaders['Authorization']);
		}
	}
	
	return $headers;
}

function get_bearer_token() {
    $headers = get_authorization_header();
	
    // HEADER: Get the access token from the header
    if (!empty($headers)) {
        if (preg_match('/Bearer\s(\S+)/', $headers, $matches)) {
            return $matches[1];
        }
    }
    return null;
}

In the above code snippets the most important functions are get_authorization_header() and get_bearer_token(). These functions are used to get the required Bearer token from Authorization header.

Start Development Server

Now to start the development server, navigate to the root folder of your project from the command line tool and execute the command: php -S localhost:8000.

Your development server will start and listen to port 8000.

Testing JWT Authentication

Use the following details as highlighed in the screen-shot to generate the JWT using REST client tool:

Use the above generated JWT token in the HTTP header under Authorization key with the values as Bearer .

Source Code

Download

How do I send a POST request with Bearer Token Authorization header in PHP?

How can I get Authorization token in PHP?

How use JWT token for authentication in PHP?

How can get Bearer Token value in PHP?