PHPackages jeffersongoncalves/laravel-oidc - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. jeffersongoncalves/laravel-oidc ActiveLibrary[Authentication & Authorization](/categories/authentication) jeffersongoncalves/laravel-oidc =============================== OpenID Connect for Laravel via a custom Socialite driver. Multi-tenant ready. v1.0.1(1mo ago)1521MITPHPPHP ^8.2CI passing Since Apr 26Pushed 2w agoCompare [ Source](https://github.com/jeffersongoncalves/laravel-oidc)[ Packagist](https://packagist.org/packages/jeffersongoncalves/laravel-oidc)[ Docs](https://github.com/jeffersongoncalves/laravel-oidc)[ GitHub Sponsors](https://github.com/jeffersongoncalves)[ RSS](/packages/jeffersongoncalves-laravel-oidc/feed)WikiDiscussions master Synced 1w ago READMEChangelog (2)Dependencies (12)Versions (3)Used By (1) [![Laravel OIDC](https://raw.githubusercontent.com/jeffersongoncalves/laravel-oidc/master/art/jeffersongoncalves-laravel-oidc.png)](https://raw.githubusercontent.com/jeffersongoncalves/laravel-oidc/master/art/jeffersongoncalves-laravel-oidc.png) Laravel OIDC ============ [](#laravel-oidc) [![Latest Version on Packagist](https://camo.githubusercontent.com/2b86ee996b062428592f4481f65cec8e6b3b94b9ab1ba4e4dbff2d87921d24cf/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d6f6964632e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/jeffersongoncalves/laravel-oidc)[![Total Downloads](https://camo.githubusercontent.com/3c3fc15c1187a6caec1335e6569e6d52ac2fa13a28c6d982b58ab3bdffb4006c/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d6f6964632e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/jeffersongoncalves/laravel-oidc)[![GitHub Tests Action Status](https://camo.githubusercontent.com/290dff047203066d769279266a58466e3580b8454a6f41e0db505a616241fef4/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d6f6964632f74657374732e796d6c3f6272616e63683d6d6173746572266c6162656c3d7465737473267374796c653d666c61742d737175617265)](https://github.com/jeffersongoncalves/laravel-oidc/actions?query=workflow%3Atests+branch%3Amaster)[![GitHub Code Style Action Status](https://camo.githubusercontent.com/2cdae1546a25573590dfe5b4cdb4018dd849e2e0d590c3a59e035319ae9b4c7e/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d6f6964632f70696e742e796d6c3f6272616e63683d6d6173746572266c6162656c3d636f64652532307374796c65267374796c653d666c61742d737175617265)](https://github.com/jeffersongoncalves/laravel-oidc/actions?query=workflow%3A%22Fix+PHP+code+style+issues%22+branch%3Amaster)[![License](https://camo.githubusercontent.com/e463cfecbfbd1bb12ff9cd01e56cf9a62742af854a1e201de215c586b1eb45f7/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d6f6964632e7376673f7374796c653d666c61742d737175617265)](LICENSE.md) Laravel OIDC adds first-class **OpenID Connect** support to Laravel by registering a custom [Laravel Socialite](https://laravel.com/docs/socialite) driver named `oidc`. Unlike vanilla Socialite — which covers OAuth 2.0 but stops at the userinfo step — this package implements the OIDC pieces Socialite leaves out: discovery (`/.well-known/openid-configuration`), JWKS-based `id_token` validation, nonce-based replay protection, and PKCE. It is designed for **multi-tenant SaaS**: configuration is supplied at runtime, so each tenant can connect its own Azure AD, Okta, Auth0, Google Workspace, Keycloak, or any other spec-compliant OpenID Provider. Compatibility ------------- [](#compatibility) PackageLaravelPHP1.x11.x, 12.x, 13.x8.2, 8.3, 8.4Why? ---- [](#why) Laravel Socialite ships drivers for fixed providers (GitHub, Google, etc.) and a small set of OAuth 2.0 helpers. It does not: - Read the IdP's `.well-known/openid-configuration` discovery document. - Validate the `id_token` JWT against the IdP's JWKS. - Send and verify a `nonce` to mitigate replay attacks. - Make per-request configuration easy in multi-tenant scenarios. This package adds those pieces while staying inside the Socialite mental model: you still call `Socialite::driver('oidc')->redirect()` and `->user()`. Installation ------------ [](#installation) ``` composer require jeffersongoncalves/laravel-oidc ``` Optionally publish the config file: ``` php artisan vendor:publish --tag="oidc-config" ``` Configuration ------------- [](#configuration) The package works out of the box. For single-tenant apps, set the default IdP in `.env`: ``` OIDC_ISSUER_URL=https://login.microsoftonline.com/{tenant-id}/v2.0 OIDC_CLIENT_ID=your-app-client-id OIDC_CLIENT_SECRET=your-app-secret OIDC_REDIRECT_URI=https://your-app.test/sso/callback ``` For multi-tenant apps, leave the `default` block empty and supply an `OidcConfig` at runtime (see below). Usage ----- [](#usage) ### Single-tenant (config from `.env`) [](#single-tenant-config-from-env) ``` use Laravel\Socialite\Facades\Socialite; Route::get('/sso/redirect', fn () => Socialite::driver('oidc')->redirect()); Route::get('/sso/callback', function () { $user = Socialite::driver('oidc')->user(); // $user->id // sub claim // $user->email // $user->name // $user->token // access_token // $user->idToken // raw id_token JWT // $user->idTokenClaims // decoded + validated claims }); ``` ### Multi-tenant (runtime config) [](#multi-tenant-runtime-config) ``` use Laravel\Socialite\Facades\Socialite; use JeffersonGoncalves\LaravelOidc\Data\OidcConfig; $config = new OidcConfig( issuerUrl: $tenant->issuer_url, clientId: $tenant->client_id, clientSecret: $tenant->client_secret, redirectUri: route('sso.callback'), scopes: ['openid', 'email', 'profile'], ); return Socialite::driver('oidc') ->setConfig($config) ->redirect(); ``` On callback: ``` $oidcUser = Socialite::driver('oidc') ->setConfig($config) ->user(); ``` ### `HasOidcConfig` trait for tenant models [](#hasoidcconfig-trait-for-tenant-models) If you store IdP configuration on a model (a typical multi-tenant pattern), drop in the trait. It expects columns `issuer_url`, `client_id`, `client_secret` (cast to `encrypted`), `redirect_uri`, and an optional `scopes` JSON column. ``` use JeffersonGoncalves\LaravelOidc\Concerns\HasOidcConfig; class SsoConnection extends Model { use HasOidcConfig; } Socialite::driver('oidc') ->setConfig($ssoConnection->toOidcConfig()) ->redirect(); ``` ### Discovery without Socialite [](#discovery-without-socialite) ``` use JeffersonGoncalves\LaravelOidc\Facades\Oidc; $discovery = Oidc::discover('https://login.microsoftonline.com/{tenant-id}/v2.0'); $discovery->authorizationEndpoint; $discovery->tokenEndpoint; $discovery->userinfoEndpoint; $discovery->jwksUri; $discovery->issuer; ``` Supported Identity Providers ---------------------------- [](#supported-identity-providers) Any IdP that publishes a `.well-known/openid-configuration` discovery document and signs `id_token`s with one of the allowed algorithms (`RS256`, `RS384`, `RS512`, `ES256`, `ES384`) will work. Examples: IdPIssuer URL exampleAzure AD / Entra ID`https://login.microsoftonline.com/{tenant-id}/v2.0`Google Workspace`https://accounts.google.com`Okta`https://{your-org}.okta.com`Auth0`https://{your-tenant}.auth0.com/`Keycloak`https://{host}/realms/{realm}`Ping Identity`https://{environment}.pingone.com/{environment-id}/as`Security -------- [](#security) - **`id_token` validation.** Every `id_token` is decoded against the IdP's JWKS using [`firebase/php-jwt`](https://github.com/firebase/php-jwt). The `iss`, `aud`, `exp`, and `iat` claims are checked, with a configurable clock-skew window. - **Algorithm allow-list.** Only the algorithms in `oidc.jwt.allowed_algorithms` are accepted. Symmetric algorithms (`HS256` & friends) are intentionally absent — accepting them with a JWKS would enable trivial key-confusion attacks. - **Replay protection.** A random `nonce` is generated, stored in the session, and verified against the `nonce` claim in the returned `id_token`. - **PKCE.** Enabled by default with `S256`. Disable per request with `new OidcConfig(..., usePkce: false)`. - **Caching.** The discovery document is cached for 1 hour and the JWKS for 6 hours by default; both TTLs are configurable. Use `Oidc::clearCache($issuer)` to invalidate after a key rotation. Testing ------- [](#testing) ``` composer test ``` Changelog --------- [](#changelog) Please see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently. Contributing ------------ [](#contributing) Pull requests are welcome. Please make sure tests, PHPStan and Pint all pass before opening a PR: ``` composer test composer analyse composer format ``` Security Vulnerabilities ------------------------ [](#security-vulnerabilities) Please review [our security policy](../../security/policy) on how to report security vulnerabilities. Credits ------- [](#credits) - [Jefferson Gonçalves](https://github.com/jeffersongoncalves) - [All Contributors](../../contributors) License ------- [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ### Health Score 43 — FairBetter than 89% of packages Maintenance94 Actively maintained with recent releases Popularity13 Limited adoption so far Community8 Small or concentrated contributor base Maturity47 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 2 Last Release 44d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/411493?v=4)[Jefferson Gonçalves](/maintainers/jeffersongoncalves)[@jeffersongoncalves](https://github.com/jeffersongoncalves) --- Top Contributors [![jeffersongoncalves](https://avatars.githubusercontent.com/u/411493?v=4)](https://github.com/jeffersongoncalves "jeffersongoncalves (6 commits)") --- Tags auth0azure-adkeycloaklaravelmulti-tenantoidcoktaopenid-connectphpsocialitessolaravelSSOsocialiteauth0OpenID Connectkeycloakazure-adjeffersongoncalvesoidcokta ### Code Quality TestsPest Static AnalysisPHPStan Code StyleLaravel Pint Type Coverage Yes ### Embed Badge ![Health badge](/badges/jeffersongoncalves-laravel-oidc/health.svg) ``` [![Health](https://phpackages.com/badges/jeffersongoncalves-laravel-oidc/health.svg)](https://phpackages.com/packages/jeffersongoncalves-laravel-oidc) ``` ### Alternatives [spatie/laravel-health Monitor the health of a Laravel application 88011.3M149](/packages/spatie-laravel-health)[laravel/socialite Laravel wrapper around OAuth 1 & OAuth 2 libraries. 5.7k104.3M822](/packages/laravel-socialite)[defstudio/telegraph A laravel facade to interact with Telegram Bots 815320.5k3](/packages/defstudio-telegraph)[simplestats-io/laravel-client Analytics for Laravel. Track visitors, registrations, and payments. Discover which channels actually drive revenue, not just traffic. Server-side, GDPR compliant, ad-blocker proof. 5019.3k](/packages/simplestats-io-laravel-client)[rawilk/profile-filament-plugin Profile & MFA starter kit for filament. 3913.7k](/packages/rawilk-profile-filament-plugin)[harris21/laravel-fuse Circuit breaker for Laravel queue jobs. Protect your workers from cascading failures. 24740.3k](/packages/harris21-laravel-fuse) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)