PHPackages                             digitalcz/openid-connect - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. digitalcz/openid-connect

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

digitalcz/openid-connect
========================

PHP implementation of OpenID Connect using symfony/contracts

v1.1.0(7mo ago)519.8k↓16.7%1[2 PRs](https://github.com/digitalcz/openid-connect/pulls)MITPHPPHP ^8.4CI passing

Since Dec 9Pushed 2mo ago2 watchersCompare

[ Source](https://github.com/digitalcz/openid-connect)[ Packagist](https://packagist.org/packages/digitalcz/openid-connect)[ Docs](https://github.com/digitalcz/openid-connect)[ RSS](/packages/digitalcz-openid-connect/feed)WikiDiscussions 1.x Synced 1mo ago

READMEChangelog (10)Dependencies (12)Versions (19)Used By (0)

OIDC Connect
============

[](#oidc-connect)

[![Latest Stable Version](https://camo.githubusercontent.com/3bcd9d988a5d819a050559446f2370aef1ace7f44c621c91cdf8f60cecf4bbc5/687474703a2f2f706f7365722e707567782e6f72672f6469676974616c637a2f6f70656e69642d636f6e6e6563742f76)](https://packagist.org/packages/digitalcz/openid-connect)[![Total Downloads](https://camo.githubusercontent.com/282f5f2e4d59d496c5333ab0e6b6ffd7f45606f770fa4ac5d52e223d342fc963/687474703a2f2f706f7365722e707567782e6f72672f6469676974616c637a2f6f70656e69642d636f6e6e6563742f646f776e6c6f616473)](https://packagist.org/packages/digitalcz/openid-connect)[![Latest Unstable Version](https://camo.githubusercontent.com/f6f22380427ab0dd1a50af476452458a8f926b8fc83a34d83210458610fb64a8/687474703a2f2f706f7365722e707567782e6f72672f6469676974616c637a2f6f70656e69642d636f6e6e6563742f762f756e737461626c65)](https://packagist.org/packages/digitalcz/openid-connect)[![License](https://camo.githubusercontent.com/e5a8369bda8ca55453f1ccd8dbc5e7b6d281ae9fb49f815b8b7ff93a7fe50ba7/687474703a2f2f706f7365722e707567782e6f72672f6469676974616c637a2f6f70656e69642d636f6e6e6563742f6c6963656e7365)](https://packagist.org/packages/digitalcz/openid-connect)[![PHP Version Require](https://camo.githubusercontent.com/e3ef5a747528a70c73fb05d30fbca01beae4d6d9202618a25271bbe6f25ddbce/687474703a2f2f706f7365722e707567782e6f72672f6469676974616c637a2f6f70656e69642d636f6e6e6563742f726571756972652f706870)](https://packagist.org/packages/digitalcz/openid-connect)[![CI](https://github.com/digitalcz/openid-connect/workflows/CI/badge.svg)](https://github.com/digitalcz/openid-connect/actions)[![codecov](https://camo.githubusercontent.com/d55b44d09f4ea3142cba0e39e7fee02deb84c24f2caa835f508706959bf4bd4d/68747470733a2f2f636f6465636f762e696f2f67682f6469676974616c637a2f6f70656e69642d636f6e6e6563742f6272616e63682f312e782f67726170682f62616467652e7376673f746f6b656e3d517a5a35694d4e6b6733)](https://codecov.io/gh/digitalcz/openid-connect)

PHP implementation of [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) using symfony/contracts

Install
-------

[](#install)

Via [Composer](https://getcomposer.org/)

```
$ composer require digitalcz/openid-connect
```

Usage
-----

[](#usage)

### Initialization

[](#initialization)

#### Using the OIDC discovery endpoint

[](#using-the-oidc-discovery-endpoint)

```
use DigitalCz\OpenIDConnect\OidcFactory;
use Symfony\Component\HttpClient\HttpClient;

$httpClient = HttpClient::create();

$oidc = OidcFactory::create(
    httpClient: $httpClient,
    issuer: 'https://auth.example.com',
    clientId: 'my-client-id',
    clientSecret: 'my-client-secret',
    redirectUri: 'https://myapp.example.com/callback',
);
```

Using manual issuer configuration```
use DigitalCz\OpenIDConnect\OidcFactory;
use DigitalCz\OpenIDConnect\Config\IssuerMetadata;
use Symfony\Component\HttpClient\HttpClient;

$httpClient = HttpClient::create();

$issuerMetadata = new IssuerMetadata([
    'authorization_endpoint' => 'https://auth.example.com/authorize',
    'token_endpoint' => 'https://auth.example.com/token',
    'jwks_uri' => 'https://auth.example.com/.well-known/jwks.json',
    'issuer' => 'https://auth.example.com',
]);

$oidc = OidcFactory::create(
    httpClient: $httpClient,
    issuer: $issuerMetadata,
    clientId: 'my-client-id',
    clientSecret: 'my-client-secret',
    redirectUri: 'https://myapp.example.com/callback',
);
```

### Configuration Options

[](#configuration-options)

The `OidcFactory::create()` method accepts the following configuration options:

ParameterTypeRequiredDefaultDescription`httpClient``HttpClientInterface`✓-HTTP client for making requests`issuer``string|array|IssuerMetadata`✓-Issuer URL for discovery, metadata array, or IssuerMetadata instance`clientId``string`✓-OAuth2/OIDC client identifier`clientSecret``string|null`-`null`OAuth2/OIDC client secret (required for some authentication methods)`redirectUri``string|null`-`null`Redirect URI for authorization code flow`defaultScopes``string|array`-`['openid', 'profile', 'email']`Default scopes to request (space-separated string or array)`authenticationMethod``string|AuthenticationMethod`-`client_secret_post`Client authentication method for token endpoint`pkceMethod``string|PkceMethod`-`S256`PKCE method for authorization code flow (`S256`, `plain`, or `none`)`cache``CacheInterface|null`-`null`Optional cache for storing discovery metadata and JWKS`clock``ClockInterface`-`SimpleClock`Clock implementation for time-based operations`cacheSecret``string`-`'default-oidc-cache-secret'`Secret used for HMAC-based cache key generation`privateKey``string|null`-`null`PEM-encoded private key for `private_key_jwt` authentication`privateKeyJwk``JWK|null`-`null`JWK private key for `private_key_jwt` authentication (alternative to `privateKey`)`tokenEndpointAuthSigningAlg``string|null`-`null`Signature algorithm for client assertion JWT (e.g., `'HS256'`, `'RS256'`)`clientAssertionAudience``string|null`-`null`Audience claim for client assertion JWT. Special values: `'{issuer}'`, `'{token_endpoint}'`, or custom URL#### Authentication Methods

[](#authentication-methods)

- `client_secret_post` - Send client credentials in POST body
- `client_secret_basic` - Send client credentials in Authorization header
- `client_secret_jwt` - Use JWT signed with client secret
- `private_key_jwt` - Use JWT signed with private key
- `none` - No client authentication (public clients)

### Authorization Code flow

[](#authorization-code-flow)

#### Step 1 - Redirect the user to authorization endpoint

[](#step-1---redirect-the-user-to-authorization-endpoint)

```
$authorizationCode = $oidc->authorizationCode();

$url = $authorizationCode->createAuthorizationUrl([
    'state' => 'random-state',
    'nonce' => 'random-nonce'
]);

// Redirect user to $url
```

#### Step 2 - Handle the callback and exchange code for tokens

[](#step-2---handle-the-callback-and-exchange-code-for-tokens)

```
// Get the authorization code from the callback URL
$code = $_GET['code'];
$nonce = 'random-nonce'; // Same nonce used in step 1

$tokens = $authorizationCode->fetchTokens($code, $nonce);

echo "Access Token: " . $tokens->accessToken() . PHP_EOL;
echo "ID Token: " . $tokens->idToken() . PHP_EOL;
echo "Refresh Token: " . $tokens->refreshToken() . PHP_EOL;
```

### Client Credentials flow

[](#client-credentials-flow)

```
$clientCredentials = $oidc->clientCredentials();
$tokens = $clientCredentials->fetchTokens();

echo "Access Token: " . $tokens->accessToken() . PHP_EOL;
```

### Resource Server (Token Validation)

[](#resource-server-token-validation)

```
use DigitalCz\OpenIDConnect\ResourceServer\JwtAccessToken;
use DigitalCz\OpenIDConnect\ResourceServer\OpaqueAccessToken;
use DigitalCz\OpenIDConnect\Util\JWT;

$resourceServer = $oidc->resourceServer();

$accessToken = new JwtAccessToken($jwt);
$validatedToken = $resourceServer->introspect($accessToken);

echo "Token is valid for subject: " . $validatedToken->sub() . PHP_EOL;
echo "Token expires at: " . date('Y-m-d H:i:s', $validatedToken->exp()) . PHP_EOL;
```

See [examples](examples) for more complete examples

Testing
-------

[](#testing)

```
$ composer csfix    # fix codestyle
$ composer checks   # run all checks

# or separately
$ composer tests    # run phpunit
$ composer phpstan  # run phpstan
$ composer cs       # run codesniffer
```

Contributing
------------

[](#contributing)

Please see [CONTRIBUTING](CONTRIBUTING.md) for details.

Security
--------

[](#security)

If you discover any security related issues, please email  instead of using the issue tracker.

Credits
-------

[](#credits)

- [Digital Solutions s.r.o.](https://github.com/digitalcz)
- [All Contributors](../../contributors)

License
-------

[](#license)

The MIT License (MIT). Please see [License File](LICENSE) for more information.

###  Health Score

52

—

FairBetter than 96% of packages

Maintenance74

Regular maintenance activity

Popularity32

Limited adoption so far

Community13

Small or concentrated contributor base

Maturity72

Established project with proven stability

 Bus Factor1

Top contributor holds 79% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~78 days

Recently: every ~51 days

Total

16

Last Release

88d ago

Major Versions

v0.4.0 → v1.0.0-alpha12025-07-24

PHP version history (3 changes)v0.1.0PHP ^8.1

0.x-devPHP ^8.2

v1.0.0-alpha1PHP ^8.4

### Community

Maintainers

![](https://www.gravatar.com/avatar/3cdd1a59b82ee65304942a9e50a35ed1628b43db456088c334e73f8e80db9237?d=identicon)[spajxo](/maintainers/spajxo)

---

Top Contributors

[![spajxo](https://avatars.githubusercontent.com/u/12384486?v=4)](https://github.com/spajxo "spajxo (64 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (13 commits)")[![Copilot](https://avatars.githubusercontent.com/in/1143301?v=4)](https://github.com/Copilot "Copilot (3 commits)")[![JanTvrdik](https://avatars.githubusercontent.com/u/175109?v=4)](https://github.com/JanTvrdik "JanTvrdik (1 commits)")

---

Tags

phpsymfonyOpenIdOpenID Connectoidc

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Type Coverage Yes

### Embed Badge

![Health badge](/badges/digitalcz-openid-connect/health.svg)

```
[![Health](https://phpackages.com/badges/digitalcz-openid-connect/health.svg)](https://phpackages.com/packages/digitalcz-openid-connect)
```

###  Alternatives

[facile-it/php-openid-client

OpenID (OIDC) Client

42592.7k7](/packages/facile-it-php-openid-client)[ronvanderheijden/openid-connect

OpenID Connect support to the PHP League's OAuth2 Server. Compatible with Laravel Passport.

61755.5k](/packages/ronvanderheijden-openid-connect)[jeremy379/laravel-openid-connect

OpenID Connect support to the PHP League's OAuth2 Server. Compatible with Laravel Passport.

55342.3k2](/packages/jeremy379-laravel-openid-connect)[authlete/authlete-laravel

Authlete Library for Laravel

4226.0k](/packages/authlete-authlete-laravel)[simplesamlphp/simplesamlphp-module-oidc

A SimpleSAMLphp module adding support for the OpenID Connect protocol

5016.9k1](/packages/simplesamlphp-simplesamlphp-module-oidc)[authlete/authlete

Authlete Library for PHP

1478.4k1](/packages/authlete-authlete)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)