Plugin containing AuthComponent's authenticate class for authenticating using JSON Web Tokens. You can read about JSON Web Token specification in detail here.

• CakePHP 3.0+

composer require admad/cakephp-jwt-auth:1.0.x-dev

In your app's config/bootstrap.php add:

// In config/bootstrap.php
Plugin::load('ADmad/JwtAuth');

or using cake's console:

./bin/cake plugin load ADmad/JwtAuth

Setup AuthComponent:

    // In your controller, for e.g. src/Api/AppController.php
    public function initialize()
    {
        parent::initialize();
        
        $this->loadComponent('Auth', [
            'authenticate', [
                'ADmad/JwtAuth.Jwt' => [
                    'parameter' => '_token',
                    'userModel' => 'Users',
                    'scope' => ['Users.active' => 1],
                    'fields' => [
                        'id' => 'id'
                    ]
                ]
            ],
            'unauthorizedRedirect' => false,
            // Config below is available since CakePHP 3.1.
            // It makes user info available in controller's beforeFilter() which is not possible in CakePHP 3.0.
            'checkAuthIn' => 'Controller.initialize',
        ]);
    }

The authentication class checks for the token in two locations:

• HTTP_AUTHORIZATION environment variable:

  It first checks if token is passed using Authorization request header. The value should be of form Bearer <token>.

• The query string variable specified using parameter config:

  Next it checks if the token is present in query string. The default variable name is _token and can be customzied by using the parameter config shown above.

The payload of the token should either have key id or record. If id key exists it's value will be used to query against the primary key field of users table.

If record key exists it's value will be returned as user record. No check will be done against the database.

AuthComponent performs it's authentication routine for stateless auth after your controller's beforeFilter() has run. So trying to get user info using $this->Auth->user() in beforeFilter() will always return null.

As of CakPHP 3.1 though you can set a new config option checkAuthIn to Controller.initialize which makes AuthComponent do the authentication routine before controller's beforeFilter() is called.

For an end to end usage example check out this blog post by Bravo Kernel.