PHPackages b2pweb/parroauth2-client - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. b2pweb/parroauth2-client ActiveLibrary[Authentication & Authorization](/categories/authentication) b2pweb/parroauth2-client ======================== B2P OAuth 2 client implementation v2.0.1(5mo ago)011.4k↓20%MITPHPPHP ~8.1.0 | ~8.2.0 | ~8.3.0 | ~8.4.0 | ~8.5.0CI passing Since May 16Pushed 5mo ago2 watchersCompare [ Source](https://github.com/b2pweb/parroauth2-client)[ Packagist](https://packagist.org/packages/b2pweb/parroauth2-client)[ RSS](/packages/b2pweb-parroauth2-client/feed)WikiDiscussions 2.0 Synced 1mo ago READMEChangelogDependencies (18)Versions (12)Used By (0) Parroauth2 Client ================= [](#parroauth2-client) [![build](https://github.com/b2pweb/parroauth2-client/actions/workflows/php.yml/badge.svg)](https://github.com/b2pweb/parroauth2-client/actions/workflows/php.yml)[![Packagist Version](https://camo.githubusercontent.com/a655b332a21b93acf7d9556f52e9a414f1ecff43ddd13084d123f2a5baafd5c2/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6232707765622f706172726f61757468322d636c69656e742e737667)](https://packagist.org/packages/b2pweb/parroauth2-client)[![Total Downloads](https://camo.githubusercontent.com/ef2c4d6219cfb5f4d9d88dda0dd38b3fc9ba1a6688e3078bfbe620798aa3b5f3/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6232707765622f706172726f61757468322d636c69656e742e737667)](https://packagist.org/packages/b2pweb/parroauth2-client)[![Type Coverage](https://camo.githubusercontent.com/2c0021ac12ec9aac713d92de13a754292a7401b5d87923144e590181c5505cf6/68747470733a2f2f73686570686572642e6465762f6769746875622f6232707765622f706172726f61757468322d636c69656e742f636f7665726167652e737667)](https://shepherd.dev/github/b2pweb/parroauth2-client) OAuth 2.0 and OpenID Connect client library for PHP. Installation ------------ [](#installation) Install with composer : ``` composer require b2pweb/parroauth2-client ``` Simple usage ------------ [](#simple-usage) For a simple usage, using **Authorization Server Metadata** [RFC 8414](https://datatracker.ietf.org/doc/html/rfc8414)or [OpenID Connection discovery](https://openid.net/specs/openid-connect-discovery-1_0.html), you can see [example](./example) directory. ### [Password authentication](./example/password.php) [](#password-authentication) Authenticate to a provider using **password** grant type (cf: [RFC 6749#4.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3)). This example simply configure the OAuth 2.0 client, and call the token endpoint of the provider with owner's credentials (i.e. username and password). ### [Standard authentication flow](./example/standard.php) [](#standard-authentication-flow) Implements the client-side authentication using **authorization\_code** grant type (cf: [RFC 6749#4.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1)) which is the recommended authorization flow. - First the session storage is configured - Then the provider and the client are loaded - Register extensions - `JwtAccessToken` to enable local introspection of the access token - `Pkce` to enable PKCE [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) to mitigate authorization code interception attack - `IdTokenValidator` (only for OpenID) to enable verification of the ID Token - `TokenStorage` store the access token into session, and provide it into oauth endpoints - `RequiredScopeValidator` assert given scopes are provided in the access token. - Perform the authentication process if the token is not present or expired, by using `AuthorizationCodeFlow` - Once authenticated, perform userinfo and introspection - Also implements the **logout** action, using revocation endpoint and redirect to the OP for stop the session ### [Access token check on server side](./example/server_resource.php) [](#access-token-check-on-server-side) Check the access token passed as **Authorization: Bearer** header using local introspection. Advanced usage -------------- [](#advanced-usage) ### Configure provider manually [](#configure-provider-manually) If the authentication provider do not implement the auto-discovery, or you want to configure manually, you can use the `ProviderBuilder` : ``` $loader = new \Parroauth2\Client\Provider\ProviderLoader(); // Configure and create the provider $provider = $loader->builder('http://my-op.example.com') ->openid() // Enable openid connection on the endpoint // Configure endpoints ->tokenEndPoint('/token') ->authorizationEndPoint('/auth') ->introspectionEndPoint('/introspect') // Configure public key for local introspection ->addKeyFile('./keys/provider.pub') ->create() ; // Create the client $client = $provider->client((new \Parroauth2\Client\ClientConfig('client_id'))->setSecret('secret')); ``` ### Lazy provider [](#lazy-provider) In some case, you should delay the loading of the provider, and only load it when it's necessary. This is necessary when use a dependency injection container which inject the client or the provider into a service. In this context you can use `ProviderLoader::lazy()`, which allows loading provider only when calling OP endpoints. ### Design consideration [](#design-consideration) #### EndPoints [](#endpoints) End points are immutable, any call to setters will return a new instance of the endpoint. So the following code is invalid : ``` /** @var $client \Parroauth2\Client\ClientInterface */ $token = $client->endPoints()->token(); $token->refresh('MyRefreshToken'); // This instruction has no effect : the return value is ignored $token->call(); // This call will fail : no token has been provided ``` To save a state, like provide a token, you should use Extensions with an `EndPointTransformerInterface`, or inject parameters manually at each endpoint calls. #### Extensions [](#extensions) Extension consist of a class with single method `configure()` which takes the client as parameter. They permit modifying or configuring any mutable elements of client like : - Change client configuration - Register or replace an end point - Register an `EndPointTransformerInterface` To simply apply an endpoint transformer, you can inherit `AbstractEndPointTransformerExtension`, implement the desired endpoint transformation method, and use `CallableEndPointInterface::onResponse()`to intercept responses. > Note: because endpoints are immutable, the endpoint transformer must return the configured instance of the endpoint ### Health Score 48 — FairBetter than 95% of packages Maintenance70 Regular maintenance activity Popularity24 Limited adoption so far Community10 Small or concentrated contributor base Maturity72 Established project with proven stability Bus Factor1 Top contributor holds 54.1% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~129 days Total 11 Last Release 174d ago Major Versions v1.5.1 → v2.0.02025-08-04 PHP version history (6 changes)v1.0.0PHP ~7.1 | ~8.0.0 | ~8.1.0 v1.2.0PHP ~7.1 | ~8.0.0 | ~8.1.0 | ~8.2.0 v1.4.1PHP ~7.1 | ~8.0.0 | ~8.1.0 | ~8.2.0 | ~8.3.0 v1.5.1PHP ~7.1 | ~8.0.0 | ~8.1.0 | ~8.2.0 | ~8.3.0 | ~8.4.0 v2.0.0PHP ~8.1.0 | ~8.2.0 | ~8.3.0 | ~8.4.0 v2.0.1PHP ~8.1.0 | ~8.2.0 | ~8.3.0 | ~8.4.0 | ~8.5.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/1c87e81e7c2f228f5f9b346e86776c8a8740a9f8eb39d710d1de136dbd7c75a3?d=identicon)[Johnmeurt](/maintainers/Johnmeurt) --- Top Contributors [![vincent4vx](https://avatars.githubusercontent.com/u/1770818?v=4)](https://github.com/vincent4vx "vincent4vx (46 commits)")[![Johnmeurt](https://avatars.githubusercontent.com/u/12075308?v=4)](https://github.com/Johnmeurt "Johnmeurt (39 commits)") ### Code Quality TestsPHPUnit Static AnalysisPsalm Code StylePHP\_CodeSniffer Type Coverage Yes ### Embed Badge ![Health badge](/badges/b2pweb-parroauth2-client/health.svg) ``` [![Health](https://phpackages.com/badges/b2pweb-parroauth2-client/health.svg)](https://phpackages.com/packages/b2pweb-parroauth2-client) ``` ### Alternatives [phpro/http-tools HTTP tools for developing more consistent HTTP implementations. 28137.8k](/packages/phpro-http-tools)[opensearch-project/opensearch-php PHP Client for OpenSearch 15024.3M65](/packages/opensearch-project-opensearch-php)[flow-php/flow PHP ETL - Extract Transform Load - Data processing framework 81733.7k](/packages/flow-php-flow)[getbrevo/brevo-php Official Brevo provided RESTFul API V3 php library 963.1M35](/packages/getbrevo-brevo-php)[swisnl/json-api-client A PHP package for mapping remote JSON:API resources to Eloquent like models and collections. 211473.2k12](/packages/swisnl-json-api-client)[laudis/neo4j-php-client Neo4j-PHP-Client is the most advanced PHP Client for Neo4j 184616.9k31](/packages/laudis-neo4j-php-client) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)