PHPackages                             flownative/oauth2-client - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. flownative/oauth2-client

ActiveNeos-package[Authentication &amp; Authorization](/categories/authentication)

flownative/oauth2-client
========================

A generic OAuth2 client base implementation for Flow Framework applications

v4.1.2(1y ago)5104.5k↓10.3%9[2 issues](https://github.com/flownative/flow-oauth2-client/issues)[1 PRs](https://github.com/flownative/flow-oauth2-client/pulls)2MITPHPPHP ^8.1

Since Nov 20Pushed 1y ago3 watchersCompare

[ Source](https://github.com/flownative/flow-oauth2-client)[ Packagist](https://packagist.org/packages/flownative/oauth2-client)[ GitHub Sponsors](https://github.com/sponsors/robertlemke)[ RSS](/packages/flownative-oauth2-client/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (10)Dependencies (5)Versions (39)Used By (2)

[![MIT license](https://camo.githubusercontent.com/4661abfe916186acde514558e7f040833cb63ba7098401a51ce339cbb2b4cf9e/687474703a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d627269676874677265656e2e737667)](http://opensource.org/licenses/MIT)[![Packagist](https://camo.githubusercontent.com/cc502b14f2ba6707ed07272363a84aff76e03aa10522f453fda8f5faa1d0eda4/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f666c6f776e61746976652f6f61757468322d636c69656e742e737667)](https://packagist.org/packages/flownative/oauth2-client)[![Maintenance level: Love](https://camo.githubusercontent.com/b24fe73a7439225808a806c9f1032014adf4933b5774648c0174cf0de1d56401/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6d61696e74656e616e63652d2545322539392541312545322539392541312545322539392541312d6666363962342e737667)](https://www.flownative.com/en/products/open-source.html)

OAuth 2.0 Client for Flow Framework
===================================

[](#oauth-20-client-for-flow-framework)

This [Flow](https://flow.neos.io) package provides an OAuth 2.0 client SDK. Even though it can be used as a generic OAuth2 client, it was developed as a backing library for the [OpenID Connect package](https://github.com/flownative/flow-openidconnect-client). That's why documentation for this package is a bit sparse at the moment and examples for generic use are missing.

Authorizations
--------------

[](#authorizations)

This package stores states and tokens as "authorizations" in a dedicated database table.

For example, during the authorization code flow, this package needs to keep track of a "state" in order to make sense of an incoming "finish authorization" request. Another example is the client credentials flow, where an access token is stored in the authorizations table which is needed for executing authorized requests to the respective service.

### Token lifetime

[](#token-lifetime)

New Authorization tokens are created with a lifetime of 600 seconds (10 minutes) by default. The expiration date is updated during authentication if a different `expires` parameter is specified in the OAuth2 access token.

The default token lifetime and frequency of expired tokens to be removed automatically can be configured:

```
Flownative:
  OAuth2:
    Client:
      garbageCollection:
        # The probability in percent of a client shutdown triggering a garbage
        # collection which removes expired tokens.
        #
        # Examples:
        #    1    (would be a 1% chance to clean up)
        #   20    (would be a 20% chance to clean up)
        #    0.42 (would be a 0.42 % chance to clean up)
        probability: 1
    token:
      # default lifetime of new tokens in seconds
      defaultLifetime: 600
```

Note: By setting the `defaultLifetime` to `null`, new tokens won't expire by default.

### Authorization metadata

[](#authorization-metadata)

Authorizations also may contain developer-provided metadata. For example, you may attach an account identifier to an authorization when an authorization process starts and use that information when authorization finishes to make sure that the authorization is only used for a specific account (or customer number, or participant id).

To set metadata, you need to know the authorization id when starting the authorization code flow. This code could be used in an overloaded `startAuthorizationAction()`:

```
$authorizationId = $oAuthClient->generateAuthorizationIdForAuthorizationCodeGrant($this->appId);
$loginUri = $oAuthClient->startAuthorizationWithId(
    $authorizationId,
    $this->appId,
    $this->appSecret,
    $returnToUri,
    $scope
);
$oAuthClient->setAuthorizationMetadata($authorizationId, json_encode($metadata));
```

And later, in `finishAuthorization()`, you may retrieve the metadata as follows:

```
$authorization = $this->getAuthorization($authorizationId);
$metadata = json_decode($authorization->getMetadata());
```

Encryption
----------

[](#encryption)

By default, access tokens are serialized and stored unencrypted in the "authorizations" database table. You can improve the security of your application by enabling the encrypted-at-rest feature of this package. when active, it will encrypt tokens before storing them in the database and decrypt them automatically when they are retrieved. The secret key which is needed for encryption and decryption is not stored in the database.

This package uses the "ChaCha20-Poly1305-IETF" construction for authenticated encryption / decryption of serialized tokens. It uses the ["sodium" PHP extension](https://www.php.net/sodium) if installed, or [a polyfill implementation](https://packagist.org/packages/paragonie/sodium_compat)in pure PHP.

### Generating a Secret Key

[](#generating-a-secret-key)

The OAuth2 Flow package provides a CLI command for generating encryption keys suitable for the currently supported encryption method:

```
$ ./flow oauth:generateencryptionkey
qpBzrH7icQqBKenvk8wTKROv4qcJNxslzdGo3IKXmws=
```

The key is base64-encoded in order to simplify handling and being able to pass the key via Flow settings.

### Enabling Encryption

[](#enabling-encryption)

Set the encryption key via Flow settings (for example in your global "Configuration/Settings.yaml"). Make sure to deploy this setting securely, for example by creating the Settings file during deployment or by using environment variables.

```
Flownative:
  OAuth2:
    Client:
      encryption:
        base64EncodedKey: 'qpBzrH7icQqBKenvk8wTKROv4qcJNxslzdGo3IKXmws='
```

### Verifying Encryption Configuration

[](#verifying-encryption-configuration)

When you have set the encryption key, test that everything is working as expected. Run your application so that a new authorization is created. Check the database table `flownative_oauth2_client_authorization`: the column `serializedaccesstoken` should be empty and the column `encryptedserializedaccesstoken` should contain a long string similar to his one:

```
ChaCha20-Poly1305-IETF$Mjdj4s9IFrPp6HFK$k9v3x…KQ==

```

There are three parts in this string, separated by two dollar signs:

1. the construction used for encryption ("ChaCha20-Poly1305-IETF")
2. the nonce used for this particular entry ("Mjdj4s9IFrPp6HFK")
3. the encrypted data ("k9v3x…KQ==")

###  Health Score

50

—

FairBetter than 96% of packages

Maintenance37

Infrequent updates — may be unmaintained

Popularity39

Limited adoption so far

Community24

Small or concentrated contributor base

Maturity84

Battle-tested with a long release history

 Bus Factor1

Top contributor holds 69.4% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~72 days

Recently: every ~162 days

Total

38

Last Release

433d ago

Major Versions

0.2.1 → v1.0.02020-05-20

0.2.4 → v2.0.02020-10-12

v2.1.1 → v3.0.02020-12-18

v2.2.0 → v3.4.02021-09-17

v2.2.1 → v4.0.02021-12-14

PHP version history (6 changes)v4.0.0PHP ^7.4 || ^8.0

v4.0.2PHP ^7.4 || ^8.0 || ^8.1

v4.1.0-beta.1PHP 7.4.\* || 8.0.\* || 8.1.\* || 8.2.\*

v4.1.0-beta.2PHP 8.0.\* || 8.1.\* || 8.2.\* || 8.3.\*

v4.1.0PHP 8.1.\* || 8.2.\* || 8.3.\* || 8.4.\*

v4.1.2PHP ^8.1

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/95582?v=4)[Robert Lemke](/maintainers/robertlemke)[@robertlemke](https://github.com/robertlemke)

![](https://avatars.githubusercontent.com/u/10280881?v=4)[Flownative](/maintainers/flownative)[@flownative](https://github.com/flownative)

---

Top Contributors

[![robertlemke](https://avatars.githubusercontent.com/u/95582?v=4)](https://github.com/robertlemke "robertlemke (84 commits)")[![kdambekalns](https://avatars.githubusercontent.com/u/95873?v=4)](https://github.com/kdambekalns "kdambekalns (26 commits)")[![bwaidelich](https://avatars.githubusercontent.com/u/307571?v=4)](https://github.com/bwaidelich "bwaidelich (4 commits)")[![hphoeksma](https://avatars.githubusercontent.com/u/250683?v=4)](https://github.com/hphoeksma "hphoeksma (2 commits)")[![dfeyer](https://avatars.githubusercontent.com/u/221173?v=4)](https://github.com/dfeyer "dfeyer (2 commits)")[![booooza](https://avatars.githubusercontent.com/u/18515653?v=4)](https://github.com/booooza "booooza (1 commits)")[![kitsunet](https://avatars.githubusercontent.com/u/324408?v=4)](https://github.com/kitsunet "kitsunet (1 commits)")[![daniellienert](https://avatars.githubusercontent.com/u/642226?v=4)](https://github.com/daniellienert "daniellienert (1 commits)")

---

Tags

flowflow-frameworkneoscmsoauth2oauth2-clientphp

### Embed Badge

![Health badge](/badges/flownative-oauth2-client/health.svg)

```
[![Health](https://phpackages.com/badges/flownative-oauth2-client/health.svg)](https://phpackages.com/packages/flownative-oauth2-client)
```

###  Alternatives

[microsoft/kiota-authentication-phpleague

Authentication provider for Kiota using the PHP League OAuth 2.0 client to authenticate against the Microsoft Identity platform

153.2M7](/packages/microsoft-kiota-authentication-phpleague)[telesign/telesign

TeleSign SDK

162.1M2](/packages/telesign-telesign)[exinone/mixin-sdk-php

Mixin-Network SDK for PHP, modify from ExinOne/laravel-mixin-sdk

242.5k4](/packages/exinone-mixin-sdk-php)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)