jwt-auth support PHP 8

Subject of the issue

Problem 1 - tymon/jwt-auth is locked to version 1.0.2 and an update of this package was not requested. - tymon/jwt-auth 1.0.2 requires php ^5.5.9|^7.0 -> your php version (8.0.2) does not satisfy that requirement.

My environment

Q	A
Bug?	yes
New Feature?	no / yes
Framework	Laravel
Framework version	8.0
Package version	1.0.2
PHP version	8

Steps to reproduce

composer update or composer require tymon/jwt-auth

Mar 09 '21 16:03 samehdoush

The dev-branch is insufficient in my case because lcobucci/jwt is locked to below <3.4. Another library has a fix for PHP8.0 that requires lcobucci/jwt to be at least 3.4 and so jwt-auth should have lcobucci/jwt upgraded.

Mar 15 '21 02:03 chaoszcat

Hello, same here. When will the update be available? Thanks

Mar 22 '21 16:03 AleeeKoi

Hello, same here. When will the update be available? Thanks

Mar 23 '21 10:03 ramdoun87

The dev-branch is insufficient in my case because lcobucci/jwt is locked to below <3.4. Another library has a fix for PHP8.0 that requires lcobucci/jwt to be at least 3.4 and so jwt-auth should have lcobucci/jwt upgraded.

Workaround - add this lines in your composer.json, this will override the requirement of <3.4. Works fine for me atm.

  "replace": {
    "lcobucci/jwt": "*"
  },

Apr 01 '21 11:04 s5w95

The dev-branch is insufficient in my case because lcobucci/jwt is locked to below <3.4. Another library has a fix for PHP8.0 that requires lcobucci/jwt to be at least 3.4 and so jwt-auth should have lcobucci/jwt upgraded.

Workaround - add this lines in your composer.json, this will override the requirement of <3.4. Works fine for me atm.
  "replace": {
    "lcobucci/jwt": "*"
  },

@s5w95 Hello there, where to add those lines in composer.json? inside any field such as "require" or "require-dev", or it's standalone inside the composer.json? Thanks.

Apr 03 '21 01:04 PR4M

The dev-branch is insufficient in my case because lcobucci/jwt is locked to below <3.4. Another library has a fix for PHP8.0 that requires lcobucci/jwt to be at least 3.4 and so jwt-auth should have lcobucci/jwt upgraded.

Workaround - add this lines in your composer.json, this will override the requirement of <3.4. Works fine for me atm.
  "replace": {
    "lcobucci/jwt": "*"
  },
@s5w95 Hello there, where to add those lines in composer.json? inside any field such as "require" or "require-dev", or it's standalone inside the composer.json? Thanks.

Add it into the root of the composer.json, can be anywhere or right before it closes the last } will do. Same level as require, require-dev and autoload.

Apr 03 '21 01:04 chaoszcat

The dev-branch is insufficient in my case because lcobucci/jwt is locked to below <3.4. Another library has a fix for PHP8.0 that requires lcobucci/jwt to be at least 3.4 and so jwt-auth should have lcobucci/jwt upgraded.

Workaround - add this lines in your composer.json, this will override the requirement of <3.4. Works fine for me atm.
  "replace": {
    "lcobucci/jwt": "*"
  },

After adding that line, it only help by removing lcobucci/jwt for me which is a not right? jwt-auth wouldn't work without lcobucci/jwt :(

lionel@Lionels-MacBook-Pro proj % composer update
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 1 update, 1 removal
  - Removing lcobucci/jwt (3.2.5)
  - Upgrading vonage/client-core (2.5.0 => 2.8.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 1 update, 1 removal
  - Downloading vonage/client-core (2.8.0)
  - Removing lcobucci/jwt (3.2.5)
  - Upgrading vonage/client-core (2.5.0 => 2.8.0): Extracting archive
Generating optimized autoload files
composer/package-versions-deprecated: Generating version class...
composer/package-versions-deprecated: ...done generating version class
92 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

Apr 03 '21 02:04 chaoszcat

Yeah, it's not easy to work around.

We do really need to stick to lcobucci/jwt at 3.3.3, because both the changes in 3.4.* and 4.* are not supported by this package (in its current dev state). I tested them: I forced 3.4.5 and 4.0.3 to install, and both result in errors when generating the token.

So we must install the 3.3.3. version, which claims incompatibility with php 8.0. The only solution I know for something like that is to use --ignore-platform-reqs. That's not a comfortable solution, and it might break somewhere, ... but in my tests so far, everything works fine.

So:

    "require": {
        "php": "^8.0",
        "laravel/lumen-framework": "^8.0",
        "tymon/jwt-auth": "dev-develop"
    },

And then composer update --ignore-platform-reqs. Or if you have composer 2, you can be a bit more specific with composer update --ignore-platform-req=php.

Apr 03 '21 09:04 JorisDebonnet

@JorisDebonnet It does install, but it doesn't want to pull the latest vonage/client-core (2.8.0) and vonage is the one causing incompatibility with php8.0. Here is the update log:

Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 3 updates, 0 removals
  - Upgrading lcobucci/jwt (3.2.5 => 3.3.3)
  - Upgrading tymon/jwt-auth (dev-develop ab00f2d => 1.0.2)
  - Upgrading vonage/client-core (2.5.0 => v2.6.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 3 updates, 0 removals
  - Downloading vonage/client-core (v2.6.0)
  - Upgrading lcobucci/jwt (3.2.5 => 3.3.3): Extracting archive
  - Upgrading vonage/client-core (2.5.0 => v2.6.0): Extracting archive
  - Upgrading tymon/jwt-auth (dev-develop ab00f2d => 1.0.2): Extracting archive
Generating optimized autoload files

vonage/client-core has a bug in < 2.7.0 and it only fixed after 2.7.0, but they added requirement to lcobucci/jwt to be above 3.4 which pretty much lock the bug in my repo :(

Here is where vonage/client-core fixed the bug and bumped lcobucci to be at least 3.4: link

Apr 03 '21 09:04 chaoszcat

Yeah, my suggestion is not a solution if you have another package that requires lcobucci/jwt >= 3.4... In that case, the most fitting issue to follow may actually be #2088.

I think the issue we are on here is simply about getting the package to work on php 8.0 (... which is a duplicate of #2082).

Apr 03 '21 19:04 JorisDebonnet

I am here to sollecitate, by kindly, an update to use jwt 3.4.

It's blocking the upgrade of a whole project to php 8.

I respect your time and your work. And we are appreciate everything you could do to accelerate the migration to jwt 3.4.

what is the issue with jwt 3.4? Could we help you in anyway?

Apr 06 '21 18:04 realtebo

I am here to sollecitate, by kindly, an update to use jwt 3.4.

what is the issue with jwt 3.4? Could we help you in anyway?

Please note that upgrading to jwt 3.4 will not help with php 8.0, because lcobucci/jwt 3.4.x also requires ^5.6 || ^7.0.

Summary for php 8.0 compatibility

You only use jwt-auth? Then you can run this on php 8.0 using --ignore-platform-req=php with composer. (Not ideal, I know, but it works.)
You have multiple jwt dependencies, some of which require lcobucci/jwt >= 3.4? Then you're out of luck. There is no solution until this package is migrated to use a higher version of lcobucci/jwt. See if you can stay on php 7.4, and watch #2088.

Anyone up to create a PR to solve #2088, #2082 and #2103 by upgrading this package to use lcobucci/jwt >= 4.0?

(A PR would allow all of us to use that hero's repository until further notice -- and then at some point hopefully the PR is accepted into the develop branch, which can then be released as 2.0. It will require that new major version number because lcobucci/jwt 4.0 does not support php 7.2 or 7.3, while jwt-auth 1.0 does.)

Apr 11 '21 13:04 JorisDebonnet

You can add --ignore-platform-reqs to force install it works well for me.

composer require tymon/jwt-auth --ignore-platform-reqs

Apr 27 '21 08:04 kamleshwebtech

It will require that new major version number because lcobucci/jwt 4.0 does not support php 7.2 or 7.3, while jwt-auth 1.0 does.

I think it is not required. lcobucci/jwt 3.4 is supposed to be compatible with the same API as lcobucci/jwt 4.0, but supports down to PHP v5.6, so an updated version can still be used with PHP 7.2-7.3, it'll simply stay at lcobucci/jwt 3.4, and not update to 4.0. However there is a minor breaking change (at least in my implementation) because the API changed a lot, and providing Builder and Parser to the constructor of Tymon\JWTAuth\Providers\JWT\Lcobucci does not make sense any more. I'd say it is technically a breaking change, but also it is very minor, as most users would simply rely on the service container which can deal with it easily. So technically it is supposed to be v2, even though anyone experiencing an issue due to this change is doing something wrong most likely.

Apr 29 '21 00:04 BenceSzalai

related to https://github.com/tymondesigns/jwt-auth/issues/2082 Related PR: https://github.com/tymondesigns/jwt-auth/pull/2117

May 06 '21 06:05 CodeNinja1337

Would love to the see the PR for this get merged in, it is the one missing piece for us to be able to move to PHP 8.0. Would rather not have to fork and reimplement ourselves.