PHPackages ericnorris/gcp-auth-contrib - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. ericnorris/gcp-auth-contrib ActiveLibrary[Authentication & Authorization](/categories/authentication) ericnorris/gcp-auth-contrib =========================== Unofficial Google Cloud Platform authentication library focusing on speed and correctness. v1.0.0(5y ago)34MITPHP Since Sep 26Pushed 5y ago1 watchersCompare [ Source](https://github.com/ericnorris/gcp-auth-contrib)[ Packagist](https://packagist.org/packages/ericnorris/gcp-auth-contrib)[ RSS](/packages/ericnorris-gcp-auth-contrib/feed)WikiDiscussions master Synced today READMEChangelog (1)Dependencies (12)Versions (2)Used By (0) gcp-auth-contrib ================ [](#gcp-auth-contrib) [![CI status](https://github.com/ericnorris/gcp-auth-contrib/workflows/CI/badge.svg)](https://github.com/ericnorris/gcp-auth-contrib/actions?query=workflow%3ACI)[![Coveralls.io coverage percentage](https://camo.githubusercontent.com/9e98dff6cde47889d89400e72e562e2202157ff7e8dd67e1037ebd25069d9de4/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f657269636e6f727269732f6763702d617574682d636f6e747269622f62616467652e737667)](https://coveralls.io/github/ericnorris/gcp-auth-contrib)[![Psalm type coverage percentage](https://camo.githubusercontent.com/15573848d90e3a634078b6c3c6d7345b79421c4240910d3efee836c3ecdd1d75/68747470733a2f2f73686570686572642e6465762f6769746875622f657269636e6f727269732f6763702d617574682d636f6e747269622f636f7665726167652e737667)](https://shepherd.dev/github/ericnorris/gcp-auth-contrib) `gcp-auth-contrib` is an unofficial PHP library for authenticating with Google Cloud Platform products that focuses on sane defaults, correctness, and speed. - Safely caches all authentication IO to reduce latency across requests when running PHP in a web server context - All IO is done lazily, avoids [accidentally DoSing the metadata server](https://github.com/googleapis/google-auth-library-php/issues/297) by not performing any IO during initialization - Supports [service account impersonation](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials) out of the box - Clear distinction between fetching OAuth2 access tokens and OIDC identity tokens to make it simple to call [Cloud Functions](https://cloud.google.com/functions/docs/securing/authenticating#service-to-function), [Cloud Run](https://cloud.google.com/functions/docs/securing/authenticating#service-to-function), and similar products - Fully typed via [Psalm](https://github.com/vimeo/psalm) ``` $fetcher = \ericnorris\GCPAuthContrib\OpinionatedDefaults::get()->makeCredentialsFetcher(); $storageClient = new \Google\Cloud\Storage\StorageClient([ "credentialsFetcher" => $fetcher, ]); // ... ``` - [Installation](#installation) - [Usage](#usage) - [Authenticating with Google Cloud Platform APIs](#authenticating-with-google-cloud-platform-apis) - [Authenticating with Google Cloud Platform serverless products](#authenticating-with-google-cloud-platform-serverless-products) - [Impersonating service accounts](#impersonating-service-accounts) - [Determining the project ID](#determining-the-project-id) Installation ------------ [](#installation) ``` composer require ericnorris/gcp-auth-contrib ``` Usage ----- [](#usage) The following examples all make use of the [OpinionatedDefaults](/src/OpinionatedDefaults.php) class. The defaults are: - Use a plain [Guzzle](https://github.com/guzzle/guzzle/tree/master) HTTP client. This means exceptions will be thrown for HTTP errors, e.g. for `500s`. - Use the [Application Default Credentials](https://cloud.google.com/docs/authentication/production#automatically) pattern for finding credentials. **Note:** you **DO NOT** need to provide a service account key file if you are running your code on a Google Cloud Platform product. Using this library (and the opinionated defaults) will authenticate automatically using the metadata server of the product you are running on. - Cache authentication IO using a [Symfony](https://symfony.com/doc/current/components/cache.html) in-memory and filesystem cache. Access and identity tokens are cached for as long as they are valid, and other requests are cached permanently when it is safe to do so. If these defaults do not work for you, the [Credentials](/src/Credentials) directory has a flexible set of classes you may use for authentication. It is strongly encouraged that you wrap any such classes with a [CachedCredentials](/src/Credentials/CachedCredentials.php) instance to avoid unecessary IO. ### Authenticating with Google Cloud Platform APIs [](#authenticating-with-google-cloud-platform-apis) The Google Cloud Platform PHP library generally requires a class implementing the [FetchAuthTokenInterface](https://github.com/googleapis/google-auth-library-php/blob/9ccaea6037abff9a99b8a58891b9dc8fe0f0d1b8/src/FetchAuthTokenInterface.php) interface to be passed in to their client via the `credentials` or `credentialsFetcher` option array key. This depends on the particular client, see [the docs](https://googleapis.github.io/google-cloud-php/#/) for your particular client to know which one to use. You can retrieve a `FetchAuthTokenInterface` compatible interface by calling `makeCredentialsFetcher` on the `OpinionatedDefaults` class. ``` $fetcher = \ericnorris\GCPAuthContrib\OpinionatedDefaults::get()->makeCredentialsFetcher(); // the StorageClient class takes the parameter as a "credentialsFetcher" option $storageClient = new \Google\Cloud\Storage\StorageClient([ "credentialsFetcher" => $fetcher, ]); // the BigtableClient class takes the parameter as a "credentials" option $bigtableClient = new \Google\Cloud\Bigtable\BigtableClient([ "credentials" => $fetcher, ]); // ... ``` ### Authenticating with Google Cloud Platform serverless products [](#authenticating-with-google-cloud-platform-serverless-products) Calling authenticated Cloud Run or Cloud Function services requires an OIDC identity token. All instances of [Credentials](https://github.com/ericnorris/gcp-auth-contrib/blob/master/src/Contracts/Credentials.php) in this library offer a separate `fetchIdentityToken(string $audience)` method for exactly this purpose. **Note:** This includes the [AuthorizedUserCredentials](https://github.com/ericnorris/gcp-auth-contrib/blob/master/src/Credentials/AuthorizedUserCredentials.php)! You can use a user’s OAuth credentials (via `gcloud auth application-default login` or by doing the OAuth2 flow yourself) to call authenticated serverless products. ``` $credentials = \ericnorris\GCPAuthContrib\OpinionatedDefaults::get()->makeCredentials(); $identityTokenResponse = $credentials->fetchIdentityToken("https://your-cloud-function-or-run-url-here"); $headers = [ "Authorization: Bearer {$identityTokenResponse->getIdentityToken()}", ]; $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, "https://your-cloud-function-or-run-url-here"); curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); // ... ``` ### Impersonating service accounts [](#impersonating-service-accounts) You may impersonate another Google Cloud Platform service account using the [service account impersonation](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials) flow. Assuming the service account running the below code has the `roles/iam.serviceAccountTokenCreator` IAM role on an imaginary service account `other-account@some-project-id.iam.gserviceaccount.com`: ``` $fetcher = \ericnorris\GCPAuthContrib\OpinionatedDefaults::get()->makeImpersonatedCredentialsFetcher( "other-account@some-project-id.iam.gserviceaccount.com", ); // calls will be authenticated using the other account's credentials $storageClient = new \Google\Cloud\Storage\StorageClient([ "credentialsFetcher" => $fetcher, ]); // ... ``` ### Determining the project ID [](#determining-the-project-id) May not be supported by all credential types. ``` $credentials = \ericnorris\GCPAuthContrib\OpinionatedDefaults::get()->makeCredentials(); echo "project ID: {$credentials->fetchProjectID()}"; ``` ### Health Score 24 — LowBetter than 32% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity7 Limited adoption so far Community7 Small or concentrated contributor base Maturity54 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 2051d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/d999b5c746c9bc3f1ce91339cf207848a0e5fcdfd74d401b6f77b5a073abb0f5?d=identicon)[ericnorris](/maintainers/ericnorris) --- Top Contributors [![ericnorris](https://avatars.githubusercontent.com/u/1906605?v=4)](https://github.com/ericnorris "ericnorris (43 commits)") ### Code Quality TestsPHPUnit Static AnalysisPsalm Type Coverage Yes ### Embed Badge ![Health badge](/badges/ericnorris-gcp-auth-contrib/health.svg) ``` [![Health](https://phpackages.com/badges/ericnorris-gcp-auth-contrib/health.svg)](https://phpackages.com/packages/ericnorris-gcp-auth-contrib) ``` ### Alternatives [kreait/firebase-php Firebase Admin SDK 2.4k39.7M72](/packages/kreait-firebase-php)[google/auth Google Auth Library for PHP 1.4k272.7M161](/packages/google-auth)[shopware/platform The Shopware e-commerce core 3.3k1.5M3](/packages/shopware-platform)[shopware/core Shopware platform is the core for all Shopware ecommerce products. 595.2M386](/packages/shopware-core)[ellaisys/aws-cognito AWS Cognito package that allows Auth and other related features using the AWS SDK for PHP 120220.7k1](/packages/ellaisys-aws-cognito)[kinde-oss/kinde-auth-php Kinde PHP SDK for authentication 2369.5k3](/packages/kinde-oss-kinde-auth-php) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)