PHPackages                             horde/oauth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. horde/oauth

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

horde/oauth
===========

OAuth 1.0a, OAuth 2.0 and OpenID Connect library

v4.0.0(4d ago)11.4k33BSD-2-ClausePHPPHP ^8.1CI failing

Since Jan 9Pushed 3d ago5 watchersCompare

[ Source](https://github.com/horde/Oauth)[ Packagist](https://packagist.org/packages/horde/oauth)[ Docs](https://www.horde.org/libraries/Horde_Oauth)[ RSS](/packages/horde-oauth/feed)WikiDiscussions FRAMEWORK\_6\_0 Synced yesterday

READMEChangelog (5)Dependencies (15)Versions (15)Used By (3)

Horde\\OAuth
============

[](#hordeoauth)

OAuth 1.0a consumer. OAuth 2.0 authorization server and client. OpenID Connect provider library for the [Horde Project](https://www.horde.org/) but with virtually no framework ties.

Features
--------

[](#features)

### OAuth 1.0a Client (`Horde\OAuth\V10a\Client`)

[](#oauth-10a-client-hordeoauthv10aclient)

- **3-legged authorization flow**: Request token, user authorization, access token exchange
- **PSR-18 HTTP client**: Inject any compliant HTTP client (horde/http, Guzzle, Symfony HttpClient etc.)
- **Signature methods**: HMAC-SHA1, HMAC-SHA256, RSA-SHA1, PLAINTEXT
- **Authenticated HTTP client**: PSR-18 decorator that signs every outgoing request with OAuth 1.0a credentials
- Immutable value objects for consumer credentials, tokens and provider endpoints

### OAuth 2.0 Client (`Horde\OAuth\Client`)

[](#oauth-20-client-hordeoauthclient)

- Authorization code flow with PKCE support
- Token refresh with automatic retry
- OpenID Connect provider discovery
- Incremental consent
- Authenticated HTTP client with transparent token refresh

### OAuth 2.0 Server (`Horde\OAuth\Server`)

[](#oauth-20-server-hordeoauthserver)

- Authorization code, client credentials and refresh token grants
- PKCE verification (S256, plain)
- Token introspection and revocation endpoints
- Bearer token middleware (PSR-15)
- Repository pattern with in-memory reference implementation

### OpenID Connect (`Horde\OAuth\Oidc`)

[](#openid-connect-hordeoauthoidc)

- ID token building with standard claims
- Discovery and JWKS endpoints
- Userinfo endpoint
- Scope-to-claims mapping

Installation
------------

[](#installation)

```
composer require horde/oauth
```

Quick Example: OAuth 1.0a Client
--------------------------------

[](#quick-example-oauth-10a-client)

```
use Horde\OAuth\V10a\Client\ConsumerCredentials;
use Horde\OAuth\V10a\Client\OAuth1Client;
use Horde\OAuth\V10a\Client\ProviderEndpoints;
use Horde\OAuth\V10a\Signature\HmacSha1;

$client = new OAuth1Client(
    new ConsumerCredentials('your-consumer-key', 'your-consumer-secret'),
    new ProviderEndpoints(
        'https://provider.example/request_token',
        'https://provider.example/authorize',
        'https://provider.example/access_token',
    ),
    new HmacSha1(),
    $psrHttpClient,       // any PSR-18 ClientInterface
    $requestFactory,      // any PSR-17 RequestFactoryInterface
    $streamFactory,       // any PSR-17 StreamFactoryInterface
);

// Step 1: Obtain a request token
$requestToken = $client->getRequestToken('https://yourapp.example/callback');

// Step 2: Redirect user to authorization URL
$authUrl = $client->getAuthorizationUrl($requestToken, 'https://yourapp.example/callback');

// Step 3: Exchange for access token (after user returns with verifier)
$accessToken = $client->getAccessToken($requestToken, $oauthVerifier);
```

### Making authenticated API calls

[](#making-authenticated-api-calls)

```
use Horde\OAuth\V10a\Client\AuthenticatedHttpClient;

$authenticatedClient = new AuthenticatedHttpClient(
    $psrHttpClient,
    $consumerCredentials,
    $accessToken,
    new HmacSha1(),
);

// Every request is automatically signed with OAuth 1.0a Authorization header
$response = $authenticatedClient->sendRequest($request);
```

Quick Example: OAuth 2.0 Client
-------------------------------

[](#quick-example-oauth-20-client)

```
use Horde\OAuth\Client\OAuth2Client;
use Horde\OAuth\Client\ProviderConfig;

$provider = ProviderConfig::fromArray([
    'authorization_endpoint' => 'https://provider.example/authorize',
    'token_endpoint'         => 'https://provider.example/token',
]);

$client = new OAuth2Client(
    $provider,
    'your-client-id',
    'your-client-secret',
    'https://yourapp.example/callback',
    $psrHttpClient,
    $requestFactory,
    $streamFactory,
);

$authUrl  = $client->getAuthorizationUrl(['openid', 'profile'], $state);
$tokenSet = $client->exchangeCode($authorizationCode);
```

Architecture
------------

[](#architecture)

This library depends only on PSR interfaces (`psr/http-client`, `psr/http-message`, `psr/http-factory`, `psr/http-server-handler`, `psr/http-server-middleware`) and `horde/jwt` for JWT token handling. It does not depend on any concrete HTTP implementation, allowing consumers to bring their own PSR-18 client. But they really shouldn't. The horde/http library is all they need.

See [doc/ARCHITECTURE.md](doc/ARCHITECTURE.md) for design principles and rationale and [doc/UPGRADING.md](doc/UPGRADING.md) for migration guidance from 2.x.

Relevant RFCs
-------------

[](#relevant-rfcs)

- [RFC 5849](https://datatracker.ietf.org/doc/html/rfc5849) - OAuth 1.0a
- [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749) - OAuth 2.0
- [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) - PKCE
- [RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662) - Token Introspection
- [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)

Requirements
------------

[](#requirements)

- PHP 8.1 or later
- `ext-hash`
- `ext-json`
- `ext-openssl`

License
-------

[](#license)

BSD-2-Clause. See [LICENSE](LICENSE) for details.

###  Health Score

60

—

FairBetter than 98% of packages

Maintenance99

Actively maintained with recent releases

Popularity25

Limited adoption so far

Community29

Small or concentrated contributor base

Maturity79

Established project with proven stability

 Bus Factor1

Top contributor holds 54.9% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~524 days

Recently: every ~18 days

Total

9

Last Release

4d ago

Major Versions

2.0.4 → v3.0.0alpha12021-07-04

v3.0.0alpha1 → v4.0.0beta12026-04-19

PHP version history (4 changes)2.0.2PHP &gt;=5.3.0,&lt;=6.0.0alpha1

2.0.4PHP ^5.3 || ^7

v3.0.0alpha1PHP ^7

v4.0.0beta1PHP ^8.1

### Community

Maintainers

![](https://www.gravatar.com/avatar/c943a083635c28520599075eaea7ede2d743b7697b76e84d6bdc37e52cc8249b?d=identicon)[yunosh](/maintainers/yunosh)

![](https://www.gravatar.com/avatar/c931cd02664859360478593450d6c473a05bb12b209dfacfc534cd13257cc7ef?d=identicon)[ralflang](/maintainers/ralflang)

![](https://www.gravatar.com/avatar/e4f6c6771993db2ed500959b42353f6cf6a2ca0406d9617f7ae680f4504faa4a?d=identicon)[horde](/maintainers/horde)

![](https://www.gravatar.com/avatar/a7767adb66b45f2f05bcd44d49bc4e67efacd9ce05b161ce2d481d5dd6af025c?d=identicon)[mrubinsk](/maintainers/mrubinsk)

![](https://www.gravatar.com/avatar/816e2b926f25f8cd2939054c7a7173011b4303d690e25ab61bf33cf8c7cf71ae?d=identicon)[tdannhauer](/maintainers/tdannhauer)

---

Top Contributors

[![yunosh](https://avatars.githubusercontent.com/u/379318?v=4)](https://github.com/yunosh "yunosh (84 commits)")[![ralflang](https://avatars.githubusercontent.com/u/646976?v=4)](https://github.com/ralflang "ralflang (39 commits)")[![mrubinsk](https://avatars.githubusercontent.com/u/66822?v=4)](https://github.com/mrubinsk "mrubinsk (26 commits)")[![slusarz](https://avatars.githubusercontent.com/u/381003?v=4)](https://github.com/slusarz "slusarz (3 commits)")[![wrobel](https://avatars.githubusercontent.com/u/10232?v=4)](https://github.com/wrobel "wrobel (1 commits)")

---

Tags

oauth2OpenID Connectoidcrfc7636rfc6749

### Embed Badge

![Health badge](/badges/horde-oauth/health.svg)

```
[![Health](https://phpackages.com/badges/horde-oauth/health.svg)](https://phpackages.com/packages/horde-oauth)
```

###  Alternatives

[cakephp/cakephp

The CakePHP framework

8.9k19.5M1.8k](/packages/cakephp-cakephp)[typo3/cms

TYPO3 CMS is a free open source Content Management Framework initially created by Kasper Skaarhoj and licensed under GNU/GPL.

1.2k1.9M122](/packages/typo3-cms)[tempest/framework

The PHP framework that gets out of your way.

2.2k34.4k15](/packages/tempest-framework)[typo3/cms-core

TYPO3 CMS Core

3713.2M5.1k](/packages/typo3-cms-core)[flow-php/flow

PHP ETL - Extract Transform Load - Data processing framework

85036.3k](/packages/flow-php-flow)[cakephp/authentication

Authentication plugin for CakePHP

1214.1M106](/packages/cakephp-authentication)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
