PHPackages bag2/oauth-pkce - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. bag2/oauth-pkce ActiveLibrary[Authentication & Authorization](/categories/authentication) bag2/oauth-pkce =============== OAuth PKCE implementation independent of OAuth servers. 0.0.1(3y ago)42841Apache-2.0PHPPHP ^7.1 || ~8.0.0 || ~8.1.0CI failing Since Aug 29Pushed 2y ago1 watchersCompare [ Source](https://github.com/bag2php/oauth-pkce)[ Packagist](https://packagist.org/packages/bag2/oauth-pkce)[ RSS](/packages/bag2-oauth-pkce/feed)WikiDiscussions master Synced today READMEChangelog (1)Dependencies (2)Versions (2)Used By (0) Bag2\\OAuth\\PKCE ================= [](#bag2oauthpkce) PHP [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636) (PKCE) implementation independent of OAuth servers. Why this package? ----------------- [](#why-this-package) Already known OAuth2 server implementations (eg [league/oauth2-server](https://oauth2.thephpleague.com/)) implement PKCE, but not servers based on the latest implementation. This library provides functionality for adding PKCE verification to an independent OAuth server. Usage ----- [](#usage) See **Figure 3: Authorization Code Flow** in [OAuth 2.0: 4.1. Authorization Code Grant](https://tools.ietf.org/html/rfc6749#section-4.1). ### For Authorization Server [](#for-authorization-server) #### 1. Store `code_challenge` in **step (A) and (B)** [](#1-store-code_challenge-in-step-a-and-b) In this flow, write as follows: ``` // This (pseudo) code is written in vanilla PHP. // Actually follow your framework / project conventions. use Bag2\OAuth\PKCE\Challenge; // Request by Web Browser $code_challenge = \filter_input(INPUT_POST, 'code_challenge'); $code_challenge_method = \filter_input(INPUT_GET, 'code_challenge_method') ?: 'plain'; if ($code_verifier !== null) { if (!Verifier::isValidCodeVerifier($code_challenge)) { throw new Exception('invalid code_challenge'); } if (!Verifier::isValidCodeChallengeMethod($code_challenge_method)) { throw new Exception('invalid code_challenge_method'); } } store_value([ 'code' => getnerate_oauth_code(), 'code_challenge' => $code_challenge, 'code_challenge_method' => $code_challenge_method, ]); // Redirect ``` #### 2. Verify `code_verifier` in **step (D)** [](#2-verify-code_verifier-in-step-d) ``` // This (pseudo) code is written in vanilla PHP. // Actually follow your framework / project conventions. use Bag2\OAuth\PKCE\Challenge; // Request by Client $code = \filter_input(INPUT_POST, 'code'); $code_verifier = \filter_input(INPUT_POST, 'code_verifier'); $saved = get_stored_value($code); if (isset($saved['code_challenge'])) { if ($code_verifier === null) { throw new Exception('$code_verifier required'); } $verifier = Challenge::fromArray($saved); if (!$verifier->verify($code_verifier)) { throw new Exception('code_challenge required'); } } // Return generated Access Token ``` Copyright --------- [](#copyright) This package is licenced under [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0). > Copyright 2019 Baguette HQ > > Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at > > ``` > http://www.apache.org/licenses/LICENSE-2.0 > > ``` > > > > Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ### Health Score 25 — LowBetter than 37% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity16 Limited adoption so far Community10 Small or concentrated contributor base Maturity45 Maturing project, gaining track record Bus Factor1 Top contributor holds 94.4% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 1352d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/e1cc4bc1729b858086681a12494fda6cced8f26db3d0928ae4d81c68ddf8dc06?d=identicon)[zonuexe](/maintainers/zonuexe) --- Top Contributors [![zonuexe](https://avatars.githubusercontent.com/u/822086?v=4)](https://github.com/zonuexe "zonuexe (34 commits)")[![settermjd](https://avatars.githubusercontent.com/u/196801?v=4)](https://github.com/settermjd "settermjd (2 commits)") --- Tags oauthrfc7636 ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/bag2-oauth-pkce/health.svg) ``` [![Health](https://phpackages.com/badges/bag2-oauth-pkce/health.svg)](https://phpackages.com/packages/bag2-oauth-pkce) ``` ### Alternatives [league/oauth2-server A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API. 6.6k136.0M248](/packages/league-oauth2-server)[league/oauth2-client OAuth 2.0 Client Library 3.8k118.6M1.2k](/packages/league-oauth2-client)[league/oauth1-client OAuth 1.0 Client Library 99698.8M106](/packages/league-oauth1-client)[knpuniversity/oauth2-client-bundle Integration with league/oauth2-client to provide services 83416.7M61](/packages/knpuniversity-oauth2-client-bundle)[socialiteproviders/manager Easily add new or override built-in providers in Laravel Socialite. 42442.0M544](/packages/socialiteproviders-manager)[league/oauth2-google Google OAuth 2.0 Client Provider for The PHP League OAuth2-Client 41721.2M118](/packages/league-oauth2-google) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)