PHPackages fabiang/sasl - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. fabiang/sasl ActiveLibrary[Authentication & Authorization](/categories/authentication) fabiang/sasl ============ Abstraction of various SASL mechanism responses. v2.0.0(1y ago)1245.4k↓29%3[2 issues](https://github.com/fabiang/sasl/issues)1BSD-3-ClausePHPPHP ~8.2.0 || ~8.3.0 || ~8.4.0CI passing Since Dec 22Pushed 3mo ago3 watchersCompare [ Source](https://github.com/fabiang/sasl)[ Packagist](https://packagist.org/packages/fabiang/sasl)[ Docs](https://github.com/fabiang/sasl)[ RSS](/packages/fabiang-sasl/feed)WikiDiscussions develop Synced 1mo ago READMEChangelog (9)Dependencies (5)Versions (18)Used By (1) fabiang/sasl ============ [](#fabiangsasl) The PHP SASL Authentification Library. Full refactored version of the the original [Auth\_SASL2 Pear package](http://pear.php.net/package/Auth_SASL2/). Provides code to generate responses to common SASL mechanisms, including: - Digest-MD5 - Cram-MD5 - Plain - Anonymous - Login (Pseudo mechanism) - SCRAM [![PHP Version Require](https://camo.githubusercontent.com/f38eae57b20620a96b8248f5c53911e958758ec03f37a65c9ef4306ed6bfa862/68747470733a2f2f706f7365722e707567782e6f72672f66616269616e672f7361736c2f726571756972652f706870)](https://packagist.org/packages/fabiang/sasl)[![Latest Stable Version](https://camo.githubusercontent.com/7e771b416dd119068fe7827e54ae01e49146007fad630c388a0cb3b2758916f0/68747470733a2f2f706f7365722e707567782e6f72672f66616269616e672f7361736c2f762f737461626c652e737667)](https://packagist.org/packages/fabiang/sasl)[![Total Downloads](https://camo.githubusercontent.com/19b9c0a20cbf998eaed891faaef22481bc7b4b94dd8643acf9549d1119353645/68747470733a2f2f706f7365722e707567782e6f72672f66616269616e672f7361736c2f646f776e6c6f6164732e737667)](https://packagist.org/packages/fabiang/sasl)[![License](https://camo.githubusercontent.com/c49636eaa7af6d15a01c4ee9c15f5d4946523959aac0e51ebfe4bc042c9b5a58/68747470733a2f2f706f7365722e707567782e6f72672f66616269616e672f7361736c2f6c6963656e73652e737667)](https://packagist.org/packages/fabiang/sasl)[![CI](https://github.com/fabiang/sasl/actions/workflows/ci.yml/badge.svg?branch=develop)](https://github.com/fabiang/sasl/actions/workflows/ci.yml)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/9df68e557c313186b2d6d29e5544a1875a4b89d824dbf86e7d8814f4ea86ffbe/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f66616269616e672f7361736c2f6261646765732f7175616c6974792d73636f72652e706e673f623d646576656c6f70)](https://scrutinizer-ci.com/g/fabiang/sasl/?branch=develop)[![Code Coverage](https://camo.githubusercontent.com/d0cd8b652f1a493906c4c52cc192619496e0268397f7db14a54e02a5762443a1/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f66616269616e672f7361736c2f6261646765732f636f7665726167652e706e673f623d646576656c6f70)](https://scrutinizer-ci.com/g/fabiang/sasl/?branch=develop) Security -------- [](#security) Please note that MD5- and SHA1-based authentication mechanism are considered insecure. Therefore you should prefer at least SCRAM-SHA-256 for **non-secure connections (TLS)** when ever possible. For that reason Digest-MD5, Cram-MD5 and SCRAM-SHA-1 are deprecated and were removed in modern server software. Installation ------------ [](#installation) The easiest way to install fabiang/sasl is by using [Composer](https://getcomposer.org): ``` composer require fabiang/sasl ``` Usage ----- [](#usage) Use the factory method to create a authentication mechanism object: ``` use Fabiang\SASL\SASL; $mechanism = SASL::SCRAM_SHA3_256->mechanism([ 'authcid' => 'username', 'secret' => 'password', 'authzid' => 'authzid', // optional. Username to proxy as 'service' => 'servicename', // optional. Name of the service 'hostname' => 'hostname', // optional. Hostname of the service ]); $response = $mechanism->createResponse(); ``` Or create from string: ``` // throws Fabiang\SASL\Exception\UnsupportedMechanismException $mechanism = SASL::fromString('SCRAM-SHA3-256')->mechanism([ // ... ]); ``` Challenge-based authentication mechanisms implement the interface `Fabiang\SASL\Authentication\ChallengeAuthenticationInterface`. For those mechanisms call the method again with the challenge returned by the server: ``` $response = $mechanism->createResponse($challenge); ``` **Note**: The challenge must be Base64 decoded. ### SCRAM verification [](#scram-verification) To verify the data returned by the server for SCRAM you can call: ``` $trusted = $mechanism->verify($data); ``` If the method returns false you should disconnect. ### SCRAM downgrade protection [](#scram-downgrade-protection) To enable [downgrade protection for SCRAM](https://xmpp.org/extensions/xep-0474.html), you'll need to pass the allowed authentication mechanisms and channel-binding types via options to the factory: **Note**: [Channel-binding](https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism#Channel_binding)is currently not supported [due to limitations of PHP](https://github.com/php/php-src/issues/16766). ``` $authentication = AuthenticationMechanism::SCRAM_SHA_1->mechanism([ 'authcid' => 'username', 'secret' => 'password', 'authzid' => 'authzid', // optional. Username to proxy as 'service' => 'servicename', // optional. Name of the service 'hostname' => 'hostname', // optional. Hostname of the service 'downgrade_protection' => [ // optional. When `null` downgrade protection string from server won't be validated 'allowed_mechanisms' => ['SCRAM-SHA-1-PLUS', 'SCRAM-SHA-1'], // allowed mechanisms by the server 'allowed_channel_bindings' => ['tls-unique', 'tls-exporter', 'tls-server-end-point'], // allowed channel-binding types by the server ], ]); ``` ### Required options [](#required-options) List of options required by authentication mechanisms. For mechanisms that are challenge-based you'll need to call `createResponse()`again and send the returned value to the server. MechanismAuthcidSecretAuthzidServiceHostnameChallengeAnonymousoptionalnononononoCram-MD5yesyesnononoyesDigest-MD5yesyesoptionalyesyesyesExternalnonooptionalnononoLoginyesyesnonononoPlainyesyesoptionalnononoSCRAM-\*yesyesoptionalnonoyesAuthcid = e.g. username, Secret = e.g. password Unit tests ---------- [](#unit-tests) If you like this library and you want to contribute, make sure the unit tests and integration tests are running. Run the unit tests: ``` ./vendor/bin/phpunit ``` Integration tests ----------------- [](#integration-tests) The integration tests verify the authentication methods against an Ejabberd and Dovecot server. To launch the servers you can use the provided Docker Compose file. Just [install Docker](https://www.docker.com/get-started/) and run: ``` docker compose up -d ``` **Note:** ejabberd takes up to *twenty minutes* to start. Now you can run the integration tests: ``` ./vendor/bin/behat ``` License ------- [](#license) BSD-3-Clause. See the [LICENSE.md](LICENSE.md). ### Health Score 56 — FairBetter than 98% of packages Maintenance60 Regular maintenance activity Popularity38 Limited adoption so far Community18 Small or concentrated contributor base Maturity89 Battle-tested with a long release history Bus Factor1 Top contributor holds 96.1% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~266 days Recently: every ~83 days Total 15 Last Release 441d ago Major Versions v1.6.0 → v2.0.02025-03-03 PHP version history (7 changes)1.0.0-beta1PHP >=5.3.0 v1.0.3PHP ^5.3.3 || ^7.0 || ^8.0 v1.1.0PHP ^5.3.3 || ^7.0 || ~8.0.0 || ~8.1.0 v1.2.0PHP ^5.3.3 || ^7.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 v1.3.0PHP ^5.3.3 || ^7.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 v1.5.0PHP ^5.3.3 || ^7.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0 v2.0.0PHP ~8.2.0 || ~8.3.0 || ~8.4.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/a001be2e312db9f65923d77f79e8e94e659963fb9e5b19c766c90ddb7e0c3dd0?d=identicon)[fabiang](/maintainers/fabiang) --- Top Contributors [![fabiang](https://avatars.githubusercontent.com/u/348344?v=4)](https://github.com/fabiang "fabiang (148 commits)")[![edhelas](https://avatars.githubusercontent.com/u/3726886?v=4)](https://github.com/edhelas "edhelas (3 commits)")[![dmolnarqu](https://avatars.githubusercontent.com/u/14151310?v=4)](https://github.com/dmolnarqu "dmolnarqu (1 commits)")[![psycotica0](https://avatars.githubusercontent.com/u/12766?v=4)](https://github.com/psycotica0 "psycotica0 (1 commits)")[![tmolitor-stud-tu](https://avatars.githubusercontent.com/u/6234248?v=4)](https://github.com/tmolitor-stud-tu "tmolitor-stud-tu (1 commits)") --- Tags authauthenticationcram-md5digest-md5phpsaslsasl2scramscram-sha1scram-sha256scram-sha3-512scram-sha512authAuthenticationsaslscram ### Code Quality TestsPHPUnit Static AnalysisPsalm Code StylePHP\_CodeSniffer Type Coverage Yes ### Embed Badge ![Health badge](/badges/fabiang-sasl/health.svg) ``` [![Health](https://phpackages.com/badges/fabiang-sasl/health.svg)](https://phpackages.com/packages/fabiang-sasl) ``` ### Alternatives [tymon/jwt-auth JSON Web Token Authentication for Laravel and Lumen 11.5k49.1M350](/packages/tymon-jwt-auth)[league/oauth2-server A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API. 6.6k136.0M248](/packages/league-oauth2-server)[php-open-source-saver/jwt-auth JSON Web Token Authentication for Laravel and Lumen 8359.8M53](/packages/php-open-source-saver-jwt-auth)[auth0/auth0-php PHP SDK for Auth0 Authentication and Management APIs. 40820.2M68](/packages/auth0-auth0-php)[kreait/firebase-tokens A library to work with Firebase tokens 24040.8M14](/packages/kreait-firebase-tokens)[opauth/opauth Multi-provider authentication framework for PHP 1.6k783.4k58](/packages/opauth-opauth) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)