PHPackages flametrench/identity - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. flametrench/identity ActiveLibrary[Authentication & Authorization](/categories/authentication) flametrench/identity ==================== Identity primitives for Flametrench: users, credentials (Argon2id-pinned passwords, passkeys, OIDC), and user-bound sessions with rotation on refresh. v0.2.0(1mo ago)025[1 issues](https://github.com/flametrench/identity-php/issues)1Apache-2.0PHPPHP ^8.3CI passing Since Apr 25Pushed 3d agoCompare [ Source](https://github.com/flametrench/identity-php)[ Packagist](https://packagist.org/packages/flametrench/identity)[ Docs](https://flametrench.dev)[ RSS](/packages/flametrench-identity/feed)WikiDiscussions main Synced 1w ago READMEChangelog (3)Dependencies (2)Versions (11)Used By (1) flametrench/identity ==================== [](#flametrenchidentity) [![CI](https://github.com/flametrench/identity-php/actions/workflows/ci.yml/badge.svg)](https://github.com/flametrench/identity-php/actions/workflows/ci.yml) Identity primitives for [Flametrench](https://flametrench.dev): users, credentials (Argon2id-pinned password + passkey + OIDC), user-bound sessions with rotation on refresh, and v0.2 multi-factor authentication ([ADR 0008](https://github.com/flametrench/spec/blob/main/decisions/0008-mfa.md), [ADR 0010](https://github.com/flametrench/spec/blob/main/decisions/0010-webauthn-rs256-eddsa.md)) — TOTP (RFC 6238), recovery codes, and WebAuthn assertion verification across ES256 / RS256 / EdDSA. The PHP counterpart of [`@flametrench/identity`](https://github.com/flametrench/node/tree/main/packages/identity). Same shapes, same lifecycle, same Argon2id parameter floor, same opaque-bearer-token-vs-session-id distinction. **Status:** v0.2.0 (stable). PHP 8.3+, ext-sodium required (for token base64url encoding). Includes the production-ready `PostgresIdentityStore` alongside the in-memory reference store. Per ADR 0014 the `User` entity carries an optional `display_name` with a partial-update `updateUser` operation; per ADR 0015 `listUsers` provides cursor-paginated user enumeration with a credential-identifier substring filter; per ADR 0013 the Postgres adapter cooperates with adopter-side outer transactions via savepoints when nested. Install ------- [](#install) ``` composer require flametrench/identity ``` Quick start ----------- [](#quick-start) ``` use Flametrench\Identity\InMemoryIdentityStore; $store = new InMemoryIdentityStore(); // Create a user + a password credential. $user = $store->createUser(); $cred = $store->createPasswordCredential($user->id, 'alice@example.com', 'correcthorsebatterystaple'); // Verify and open a session. $verified = $store->verifyPassword('alice@example.com', 'correcthorsebatterystaple'); $sw = $store->createSession($verified->usrId, $verified->credId, ttlSeconds: 3600); // Later, verify an incoming bearer token. $session = $store->verifySessionToken($sw->token); ``` Argon2id is pinned ------------------ [](#argon2id-is-pinned) Password credentials use PHP's native `PASSWORD_ARGON2ID` at the spec floor (`m=19456, t=2, p=1`). These match the OWASP Password Storage Cheat Sheet floor and are the same parameters used by `@flametrench/identity`. Implementations MUST NOT use bcrypt, scrypt, PBKDF2, or any other algorithm — the spec is opinionated on this point because inconsistency causes breaches. Sessions: tokens vs. ids ------------------------ [](#sessions-tokens-vs-ids) The session `id` is an **identifier** (appears in logs, audit, admin). The bearer **token** is separate — 32 random bytes, base64url-encoded — and only the SHA-256 hash is persisted. The plaintext token is returned exactly once from `createSession` / `refreshSession` and never leaves the caller's control via this SDK. Same separation as the spec defines. `refreshSession` rotates: new session id, new token, old session revoked. In-place refresh is not spec-conformant. Credential type discrimination ------------------------------ [](#credential-type-discrimination) PHP doesn't have discriminated unions, so credentials are three concrete classes implementing the `Credential` interface: ``` $cred = $store->getCredential($credId); match (true) { $cred instanceof PasswordCredential => /* ... */, $cred instanceof PasskeyCredential => /* ... */, $cred instanceof OidcCredential => /* ... */, }; ``` Sensitive material (password hash, passkey public key bytes) is stored internally and never exposed on the public Credential shape — verification uses `verifyPassword()` and never returns hash material to callers. Errors ------ [](#errors) ClassCode`NotFoundException``not_found``DuplicateCredentialException``conflict.duplicate_credential``InvalidCredentialException``unauthorized.invalid_credential``CredentialNotActiveException``conflict.credential_not_active``CredentialTypeMismatchException``conflict.credential_type_mismatch``SessionExpiredException``unauthorized.session_expired``InvalidTokenException``unauthorized.invalid_token``AlreadyTerminalException``conflict.already_terminal``PreconditionException``precondition.`Cascade semantics (spec-required) --------------------------------- [](#cascade-semantics-spec-required) - **Revoking a user** revokes every active credential AND terminates every active session. - **Suspending a user** terminates every active session but leaves credentials alone (the user can be reinstated and their creds still work). - **Rotating a credential** terminates every session that was established by the old credential. - **Suspending or revoking a credential** terminates every session bound to it. All cascades are atomic in the in-memory store; tests have explicit fixtures for each. Development ----------- [](#development) ``` composer install composer test ``` License ------- [](#license) Apache License 2.0. Copyright 2026 NDC Digital, LLC. ### Health Score 41 — FairBetter than 87% of packages Maintenance96 Actively maintained with recent releases Popularity9 Limited adoption so far Community8 Small or concentrated contributor base Maturity45 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 9 Last Release 40d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/19826928?v=4)[Nathan Call](/maintainers/nathancall)[@nathancall](https://github.com/nathancall) --- Top Contributors [![nathancall](https://avatars.githubusercontent.com/u/19826928?v=4)](https://github.com/nathancall "nathancall (26 commits)") --- Tags identityUserssessionscredentialspasskeyoidcArgon2idflametrench ### Code Quality TestsPest ### Embed Badge ![Health badge](/badges/flametrench-identity/health.svg) ``` [![Health](https://phpackages.com/badges/flametrench-identity/health.svg)](https://phpackages.com/packages/flametrench-identity) ``` ### Alternatives [league/oauth2-client OAuth 2.0 Client Library 3.9k125.2M1.3k](/packages/league-oauth2-client)[league/oauth1-client OAuth 1.0 Client Library 996106.2M114](/packages/league-oauth1-client)[onelogin/php-saml PHP SAML Toolkit 1.3k46.5M132](/packages/onelogin-php-saml)[facile-it/php-openid-client OpenID (OIDC) Client 42641.9k12](/packages/facile-it-php-openid-client)[drenso/symfony-oidc-bundle OpenID connect bundle for Symfony 93714.0k3](/packages/drenso-symfony-oidc-bundle)[ronvanderheijden/openid-connect OpenID Connect support to the PHP League's OAuth2 Server. Compatible with Laravel Passport. 62841.9k](/packages/ronvanderheijden-openid-connect) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)