PHPackages                             developerawam/omni-central-auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. developerawam/omni-central-auth

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

developerawam/omni-central-auth
===============================

A plug-and-play SSO solution for Laravel — be the Identity Provider or connect as a client.

v1.0.0-beta7(today)20MITPHPPHP ^8.2CI failing

Since Jun 30Pushed todayCompare

[ Source](https://github.com/restu-lomboe/omni-central-auth)[ Packagist](https://packagist.org/packages/developerawam/omni-central-auth)[ RSS](/packages/developerawam-omni-central-auth/feed)WikiDiscussions master Synced today

READMEChangelog (2)Dependencies (8)Versions (9)Used By (0)

Omni Central Auth
=================

[](#omni-central-auth)

**A plug-and-play SSO solution for Laravel — be the Identity Provider or connect as a client.**

[![Latest Version](https://camo.githubusercontent.com/1b168b3b8ac82f089ed69b266c7f6077a4564dddc017271230d5ed5d03d50235/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f72657374752d6c6f6d626f652f6f6d6e692d63656e7472616c2d617574683f66696c7465723d762a26736f72743d73656d766572)](https://github.com/restu-lomboe/omni-central-auth/releases)[![Tests](https://github.com/restu-lomboe/omni-central-auth/actions/workflows/tests.yml/badge.svg?branch=master)](https://github.com/restu-lomboe/omni-central-auth/actions/workflows/tests.yml)[![Packagist](https://camo.githubusercontent.com/efa5ff82aedda83a7dac4ab029f770a66a9c1a66ec39ce2b6fa084368c53529a/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f646576656c6f7065726177616d2f6f6d6e692d63656e7472616c2d61757468)](https://packagist.org/packages/developerawam/omni-central-auth)[![License](https://camo.githubusercontent.com/7013272bd27ece47364536a221edb554cd69683b68a46fc0ee96881174c4214c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d626c75652e737667)](LICENSE.md)[![PHP Version](https://camo.githubusercontent.com/187240af044d09d5b14a1d9d9ebdf3f7a993e4c7bc09bdb46b4ba661a891bf5b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322532422d626c7565)](https://php.net)[![Laravel Version](https://camo.githubusercontent.com/fff89149e766ed38af9f1952441d4df830413eb7fd8371e580320c3ddbeff989/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d31332532422d726564)](https://laravel.com)

---

About
-----

[](#about)

`omni-central-auth` is a Laravel package that lets you build your own **Single Sign-On (SSO)** system — either as:

- **Identity Provider (SSO Server)** — one central login for all your applications
- **Service Provider (Client App)** — an application that delegates authentication to the SSO Server

Built on top of **Laravel Passport** (OAuth2), **Laravel Fortify** (Auth UI), and **Laravel Socialite** (OAuth2 Client).

**Data Push Architecture:** Unlike standard OAuth2 where the client must exchange an authorization code and fetch user data via API, Omni Central Auth uses **encrypted payload push** — after authorization, the SSO Server directly pushes user data to the client's callback URI using AES-256-CBC encryption with a shared signing key. This eliminates two round-trips and simplifies the client integration.

---

Requirements
------------

[](#requirements)

- PHP 8.2+
- Laravel 13+
- Livewire 4+
- TailwindCSS v4+ (CDN via `@tailwindcss/browser`)
- ext-sodium (required by Laravel Passport for JWT signing)

> **Windows / XAMPP users:** Enable sodium in `php.ini` by uncommenting `;extension=sodium` → `extension=sodium`, then restart Apache.

---

Installation
------------

[](#installation)

```
composer require developerawam/omni-central-auth
```

Run the interactive install command:

```
php artisan omni:install
```

The installer will guide you through the following steps:

1. **Choose a mode** — `server` or `client`
2. **Publish config** — `config/omni-central-auth.php`
3. **Publish migrations** — copied to `database/migrations/`
4. **Run migrations** — creates all required tables
5. **Passport setup** *(server mode only)* — generates encryption keys and creates:
    - Personal Access Client
    - SSO Client for client apps
6. **Signing key generation** *(server mode only)* — `OMNI_CENTRAL_SIGNING_KEY` auto-generated
7. **`.env` updated** — `OMNI_AUTH_MODE` is set automatically

---

Mode: `server` (Identity Provider)
----------------------------------

[](#mode-server-identity-provider)

### 1. Add traits to your User model

[](#1-add-traits-to-your-user-model)

```
use Laravel\Passport\HasApiTokens;
use Laravel\Fortify\TwoFactorAuthenticatable;

class User extends Authenticatable
{
    use HasApiTokens, TwoFactorAuthenticatable;

    protected $fillable = [
        'name',
        'email',
        'password',
        'role',      // required by omni-central-auth
        'is_admin',  // required by omni-central-auth
    ];
}
```

### 2. Set mode in `.env`

[](#2-set-mode-in-env)

```
OMNI_AUTH_MODE=server
```

### 3. Run migrations

[](#3-run-migrations)

```
php artisan migrate
```

### 4. Register

[](#4-register)

Open `/register` and create your first account. The **first registered user is automatically set as admin**.

### 5. Open the Admin Dashboard

[](#5-open-the-admin-dashboard)

```
http://your-app.com/omni-dashboard

```

### 6. Create an OAuth Client for each client app

[](#6-create-an-oauth-client-for-each-client-app)

Go to `/omni-dashboard/clients/create` and fill in:

- **App Name** — e.g. `HR Application`
- **Redirect URI** — the callback URL on the client app, e.g. `http://client-app.com/omni/callback`

> Do **not** use Client ID `1` or `2` — those are created automatically by Passport for internal use and do not support Authorization Code flow.

After creating, copy the **Client ID**, **Client Secret**, and **SSO Signing Key** — you will need them in the client app.

> The **SSO Signing Key** (`OMNI_CENTRAL_SIGNING_KEY`) is auto-generated during `php artisan omni:install` and saved to `.env`. It is used to encrypt user data payloads sent to client apps. Client apps must use the **exact same key** to decrypt.

---

Mode: `client` (Service Provider)
---------------------------------

[](#mode-client-service-provider)

### 1. Install the package

[](#1-install-the-package)

```
composer require developerawam/omni-central-auth
php artisan omni:install
# Choose: client
```

### 2. Publish and run migrations

[](#2-publish-and-run-migrations)

```
php artisan vendor:publish --tag=omni-migrations
php artisan migrate
```

### 3. Disable Fortify views

[](#3-disable-fortify-views)

Since the client app does not handle login UI itself, publish the Fortify config and disable its views:

```
php artisan vendor:publish --provider="Laravel\Fortify\FortifyServiceProvider"
```

In `config/fortify.php`:

```
'views' => false,
```

### 4. Socialite driver (automatic)

[](#4-socialite-driver-automatic)

The package automatically registers the `omni` Socialite OAuth2 driver from your `.env` configuration. No manual setup in `config/services.php` is required — the `ClientMode` bootstrapper reads credentials directly from `config('omni-central-auth.client.*')`.

> The Socialite driver is only used for the **redirect** step to the SSO Server. The callback no longer uses Socialite — user data is received via encrypted payload.

### 5. Set credentials in `.env`

[](#5-set-credentials-in-env)

```
OMNI_AUTH_MODE=client
OMNI_CLIENT_SERVER_URL=http://your-sso-server.com
OMNI_CLIENT_ID=3
OMNI_CLIENT_SECRET=your-client-secret
OMNI_CLIENT_REDIRECT_URI=http://your-client-app.com/omni/callback
OMNI_CENTRAL_SIGNING_KEY=copy-from-server
```

> `OMNI_CLIENT_REDIRECT_URI` must be a **full URL** and must match exactly what is registered in the SSO server dashboard. `OMNI_CENTRAL_SIGNING_KEY` must be **identical** on both server and client — it is used to encrypt (server) and decrypt (client) the user data payload.

### 6. Add the login button to your view

[](#6-add-the-login-button-to-your-view)

The package includes a ready-to-use SSO login button that opens a **popup window** (similar to Google SSO):

```
@include('omni::components.login-button')
```

The popup flow:

1. Clicking the button opens a centered popup to the SSO Server
2. User logs in and authorizes in the popup
3. On success, the popup closes automatically via `postMessage`
4. The parent page reloads with the user logged in

For a direct redirect (no popup), use the route manually:

```
Login with Central Account
```

> **No-JavaScript fallback:** The login button component includes a `` fallback that uses a regular redirect.

### 7. Customize redirect after login

[](#7-customize-redirect-after-login)

In `.env`:

```
OMNI_CLIENT_HOME=/dashboard
```

---

SSO Flow
--------

[](#sso-flow)

### Popup Login (Default)

[](#popup-login-default)

The login button opens a **popup window** (similar to Google SSO). After authorization, the server directly sends user data to the parent window via `postMessage` — no redirect back to client callback:

```
[Client App]                  [Popup Window]              [SSO Server]
     │                              │                         │
     │  Click "Login"               │                         │
     │──opens popup────────────────▶│                         │
     │                              │──GET /omni/login───────▶│
     │                              │  (Socialite redirect)   │
     │                              │◀────/oauth/authorize────│
     │                              │                         │
     │                              │  User logs in           │
     │                              │  User sees consent      │
     │                              │  Clicks Authorize       │
     │                              │────────POST /approve───▶│
     │                              │                         │
     │                              │  Encrypt user data      │
     │                              │◀───approved view────────│
     │                              │  postMessage(sso_data)  │
     │◀──popup closes──────────────│                         │
     │                              │                         │
     │  fetch POST /callback/ajax   │                         │
     │  Decrypt + login user        │                         │
     │  window.location.reload()    │                         │
     ▼                                                       ▼
User logged in

```

### Direct Push Architecture

[](#direct-push-architecture)

Unlike standard OAuth2 (which requires the client to exchange an authorization code for a token, then fetch user data via API), Omni Central Auth uses **encrypted payload push**:

```
[Client App]
     │
     │  Click "Login" button
     ▼
Open popup → GET /omni/login → redirect to SSO Server
     │
[SSO Server] User logs in & authorizes
     │
     │  Encrypt user data: { omni_id, name, email, avatar, timestamp }
     │  Return approved view with postMessage
     ▼
[Popup] postMessage({sso_data: ENCRYPTED}) → parent window → popup close
     │
[Client App] Parent receives postMessage
     │
     │  fetch POST /omni/callback/ajax with sso_data
     ▼
[Client App] Decrypt payload → firstOrCreate user → auth()->login()
     │
     │  window.location.reload()
     ▼
User logged in

```

### Benefits over Standard OAuth2

[](#benefits-over-standard-oauth2)

AspectStandard OAuth2Omni Direct PushRound-trips after redirect3 (exchange code → get token → fetch user)0 (data included in redirect)API endpoint required on server`/api/user`None (optional)Access token managementRequired (token storage, refresh)NoneWorks without `/api/user`NoYesSecurityOAuth2 state + authorization codeAES-256-CBC encrypted payload---

Admin Dashboard
---------------

[](#admin-dashboard)

Available at `/omni-dashboard` (configurable via `config/omni-central-auth.php`).

FeatureDescription**OAuth Clients**Register and manage applications allowed to connect to the SSO**Users &amp; Roles**Manage users and their access roles**Audit Log**Monitor login, logout, and token activity> Only users with `is_admin = true` or `role = admin` can access the dashboard. The first registered user on a server app is automatically granted admin access.

---

Encryption Mechanism
--------------------

[](#encryption-mechanism)

User data is encrypted on the server and decrypted on the client using **AES-256-CBC** with a shared signing key.

### Server (encrypt)

[](#server-encrypt)

```
use DeveloperAwam\OmniCentralAuth\Http\Controllers\Server\AuthorizationController;

$payload = AuthorizationController::encryptPayload([
    'omni_id' => $user->id,
    'name'    => $user->name,
    'email'   => $user->email,
], $signingKey);
```

### Client (decrypt)

[](#client-decrypt)

```
use DeveloperAwam\OmniCentralAuth\Http\Controllers\Server\AuthorizationController;

$userData = AuthorizationController::decryptPayload($ssoData, $signingKey);
// Returns: ['omni_id' => 1, 'name' => '...', 'email' => '...', 'avatar' => null, 'timestamp' => 1234567890]
// Returns: null if payload is invalid or tampered
```

### Security details

[](#security-details)

AspectImplementationAlgorithmAES-256-CBCKey derivationSHA-256 of `OMNI_CENTRAL_SIGNING_KEY`, truncated to 32 bytesIVRandom 16 bytes per payloadTransportBase64-encoded URL parameter `?sso_data=...`IntegrityDecryption fails on any modification — tampered payload returns `null`> The signing key must be **identical** on both server and client. Use `php artisan omni:install` on the server to auto-generate it.

---

Publishing for Customization
----------------------------

[](#publishing-for-customization)

```
# Config only
php artisan vendor:publish --tag=omni-config

# Views only
php artisan vendor:publish --tag=omni-views

# Migrations only
php artisan vendor:publish --tag=omni-migrations

# Language files only
php artisan vendor:publish --tag=omni-lang

# Everything at once
php artisan vendor:publish --tag=omni-all
```

---

Full Configuration
------------------

[](#full-configuration)

See [`config/omni-central-auth.php`](config/omni-central-auth.php) for all available options.

---

Roadmap
-------

[](#roadmap)

- Beta — SSO Server + Client + Admin Dashboard
- Beta — Direct Push (encrypted payload, no code exchange)
- Beta — Popup login flow (postMessage)
- Beta — User profile dashboard with edit &amp; avatar
- Beta — Role-based access (user / admin)
- v1.0 — Stable release
- v1.1 — Passkeys / WebAuthn support
- v1.2 — Multi-tenancy / Organization
- v2.0 — SAML 2.0 support

---

License
-------

[](#license)

MIT License. See [LICENSE](LICENSE.md) for details.

---

Built with ❤️ by [Developer Awam](https://developerawam.com)

###  Health Score

38

—

LowBetter than 83% of packages

Maintenance100

Actively maintained with recent releases

Popularity3

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity37

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~0 days

Total

7

Last Release

0d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/177308037?v=4)[Developer Awam](/maintainers/developerawam)[@developerawam](https://github.com/developerawam)

---

Top Contributors

[![restu-lomboe](https://avatars.githubusercontent.com/u/52704326?v=4)](https://github.com/restu-lomboe "restu-lomboe (23 commits)")

---

Tags

laravelauthSSOoauth2single sign onpassportfortify

###  Code Quality

TestsPest

Code StyleLaravel Pint

### Embed Badge

![Health badge](/badges/developerawam-omni-central-auth/health.svg)

```
[![Health](https://phpackages.com/badges/developerawam-omni-central-auth/health.svg)](https://phpackages.com/packages/developerawam-omni-central-auth)
```

###  Alternatives

[unopim/unopim

UnoPim Laravel PIM

10.5k2.2k](/packages/unopim-unopim)[nasirkhan/laravel-starter

A CMS like modular Laravel starter project.

1.4k2.7k](/packages/nasirkhan-laravel-starter)[jeremy379/laravel-openid-connect

OpenID Connect support to the PHP League's OAuth2 Server. Compatible with Laravel Passport.

59403.6k8](/packages/jeremy379-laravel-openid-connect)[wearedevtical/novassport

A Laravel Nova tool to manage API Authentication (Passport).

663.1k](/packages/wearedevtical-novassport)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
