PHPackages mperusso/openid-connect-php - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. mperusso/openid-connect-php ActiveLibrary[Authentication & Authorization](/categories/authentication) mperusso/openid-connect-php =========================== Bare-bones OpenID Connect client v1.1.0(1y ago)010.2k↓30.8%Apache-2.0PHPPHP >=7.0 Since Jul 9Pushed 1y agoCompare [ Source](https://github.com/mperusso/OpenID-Connect-PHP)[ Packagist](https://packagist.org/packages/mperusso/openid-connect-php)[ RSS](/packages/mperusso-openid-connect-php/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (2)Dependencies (3)Versions (3)Used By (0) PHP OpenID Connect Basic Client =============================== [](#php-openid-connect-basic-client) A simple library that allows an application to authenticate a user through the basic OpenID Connect flow. This library hopes to encourage OpenID Connect use by making it simple enough for a developer with little knowledge of the OpenID Connect protocol to set up authentication. A special thanks goes to Justin Richer and Amanda Anganes for their help and support of the protocol. Requirements ============ [](#requirements) 1. PHP 7.0 or greater 2. CURL extension 3. JSON extension Install ------- [](#install) 1. Install library using composer ``` composer require jumbojett/openid-connect-php ``` 2. Include composer autoloader ``` require __DIR__ . '/vendor/autoload.php'; ``` Example 1: Basic Client ----------------------- [](#example-1-basic-client) ``` use Jumbojett\OpenIDConnectClient; $oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->setCertPath('/path/to/my.cert'); $oidc->authenticate(); $name = $oidc->requestUserInfo('given_name'); ``` [See openid spec for available user attributes](http://openid.net/specs/openid-connect-basic-1_0-15.html#id_res) Example 2: Dynamic Registration ------------------------------- [](#example-2-dynamic-registration) ``` use Jumbojett\OpenIDConnectClient; $oidc = new OpenIDConnectClient("https://id.provider.com"); $oidc->register(); $client_id = $oidc->getClientID(); $client_secret = $oidc->getClientSecret(); // Be sure to add logic to store the client id and client secret ``` Example 3: Network and Security ------------------------------- [](#example-3-network-and-security) ``` // Configure a proxy $oidc->setHttpProxy("http://my.proxy.com:80/"); // Configure a cert $oidc->setCertPath("/path/to/my.cert"); ``` Example 4: Request Client Credentials Token ------------------------------------------- [](#example-4-request-client-credentials-token) ``` use Jumbojett\OpenIDConnectClient; $oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->providerConfigParam(['token_endpoint'=>'https://id.provider.com/connect/token']); $oidc->addScope(['my_scope']); // this assumes success (to validate check if the access_token property is there and a valid JWT) : $clientCredentialsToken = $oidc->requestClientCredentialsToken()->access_token; ``` Example 5: Request Resource Owners Token (with client auth) ----------------------------------------------------------- [](#example-5-request-resource-owners-token-with-client-auth) ``` use Jumbojett\OpenIDConnectClient; $oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->providerConfigParam(['token_endpoint'=>'https://id.provider.com/connect/token']); $oidc->addScope(['my_scope']); //Add username and password $oidc->addAuthParam(['username'=>'']); $oidc->addAuthParam(['password'=>'']); //Perform the auth and return the token (to validate check if the access_token property is there and a valid JWT) : $token = $oidc->requestResourceOwnerToken(TRUE)->access_token; ``` Example 6: Basic client for implicit flow e.g. with Azure AD B2C (see [http://openid.net/specs/openid-connect-core-1\_0.html#ImplicitFlowAuth](http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth)) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [](#example-6-basic-client-for-implicit-flow-eg-with-azure-ad-b2c-see-httpopenidnetspecsopenid-connect-core-1_0htmlimplicitflowauth) ``` use Jumbojett\OpenIDConnectClient; $oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere'); $oidc->setResponseTypes(['id_token']); $oidc->setAllowImplicitFlow(true); $oidc->addAuthParam(['response_mode' => 'form_post']); $oidc->setCertPath('/path/to/my.cert'); $oidc->authenticate(); $sub = $oidc->getVerifiedClaims('sub'); ``` Example 7: Introspection of an access token (see ) --------------------------------------------------------------------------------------- [](#example-7-introspection-of-an-access-token-see-httpstoolsietforghtmlrfc7662) ``` use Jumbojett\OpenIDConnectClient; $oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', 'ClientSecretHere'); $data = $oidc->introspectToken('an.access-token.as.given'); if (!$data->active) { // the token is no longer usable } ``` Example 8: PKCE Client ---------------------- [](#example-8-pkce-client) ``` use Jumbojett\OpenIDConnectClient; $oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', null); $oidc->setCodeChallengeMethod('S256'); $oidc->authenticate(); $name = $oidc->requestUserInfo('given_name'); ``` Example 9: Back-channel logout ------------------------------ [](#example-9-back-channel-logout) Back-channel authentication assumes you can end a session on the server side on behalf of the user (without relying on their browser). The request is a POST from the OP direct to your RP. In this way, the use of this library can ensure your RP performs 'single sign out' for the user even if they didn't have your RP open in a browser or other device, but still had an active session there. Either the sid or the sub may be accessible from the logout token sent from the OP. You can use either `getSidFromBackChannel()` or `getSubjectFromBackChannel()` to retrieve them if it is helpful to match them to a session in order to destroy it. The below ensures the use of this library to ensure validation of the back-channel logout token, but is afterward just a hypothetical way of finding such a session and destroying it. Adjust it to the needs of your RP. ``` function handleLogout() { // NOTE: assumes that $this->oidc is an instance of OpenIDConnectClient() if ($this->oidc->verifyLogoutToken()) { $sid = $this->oidc->getSidFromBackChannel(); if (isset($sid)) { // Somehow find the session based on the $sid and // destroy it. This depends on your RP's design, // there is nothing in the OIDC spec to mandate how. // // In this example, we find a Redis key, which was // previously stored using the sid we obtained from // the access token after login. // // The value of the Redis key is that of the user's // session ID specific to this hypothetical RP app. // // We then switch to that session and destroy it. $this->redis->connect('127.0.0.1', 6379); $session_id_to_destroy = $this->redis->get($sid); if ($session_id_to_destroy) { session_commit(); session_id($session_id_to_destroy); // switches to that session session_start(); $_SESSION = []; // effectively ends the session } } } } ``` Example 10: Enable Token Endpoint Auth Methods ---------------------------------------------- [](#example-10-enable-token-endpoint-auth-methods) By default, only `client_secret_basic` is enabled on client side which was the only supported for a long time. Recently `client_secret_jwt` and `private_key_jwt` have been added, but they remain disabled until explicitly enabled. ``` use Jumbojett\OpenIDConnectClient; $oidc = new OpenIDConnectClient('https://id.provider.com', 'ClientIDHere', null); # enable 'client_secret_basic' and 'client_secret_jwt' $oidc->setTokenEndpointAuthMethodsSupported(['client_secret_basic', 'client_secret_jwt']); # for 'private_key_jwt' in addition also the generator function has to be set. $oidc->setTokenEndpointAuthMethodsSupported(['private_key_jwt']); $oidc->setPrivateKeyJwtGenerator(function(string $token_endpoint) { # TODO: what ever is necessary }) ``` Development Environments ------------------------ [](#development-environments) In some cases you may need to disable SSL security on your development systems. Note: This is not recommended on production systems. ``` $oidc->setVerifyHost(false); $oidc->setVerifyPeer(false); ``` Also, your local system might not support HTTPS, so you might disable upgrading to it: ``` $oidc->setHttpUpgradeInsecureRequests(false); ``` ### Todo [](#todo) - Dynamic registration does not support registration auth tokens and endpoints Contributing ------------ [](#contributing) - All pull requests, once merged, should be added to the CHANGELOG.md file. ### Health Score 29 — LowBetter than 59% of packages Maintenance33 Infrequent updates — may be unmaintained Popularity24 Limited adoption so far Community19 Small or concentrated contributor base Maturity36 Early-stage or recently created project Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1 days Total 2 Last Release 676d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/dda0cbc703c8270bfc0f1e9c4823ccb9a9fd6b8f8d149178338ea50779e8e8f8?d=identicon)[mperusso](/maintainers/mperusso) --- Top Contributors [![jumbojett](https://avatars.githubusercontent.com/u/410057?v=4)](https://github.com/jumbojett "jumbojett (176 commits)")[![DeepDiver1975](https://avatars.githubusercontent.com/u/1005065?v=4)](https://github.com/DeepDiver1975 "DeepDiver1975 (58 commits)")[![azmeuk](https://avatars.githubusercontent.com/u/60163?v=4)](https://github.com/azmeuk "azmeuk (37 commits)")[![ricklambrechts](https://avatars.githubusercontent.com/u/1367665?v=4)](https://github.com/ricklambrechts "ricklambrechts (18 commits)")[![JuliusPC](https://avatars.githubusercontent.com/u/15018932?v=4)](https://github.com/JuliusPC "JuliusPC (13 commits)")[![radenui](https://avatars.githubusercontent.com/u/9445250?v=4)](https://github.com/radenui "radenui (9 commits)")[![rasodu](https://avatars.githubusercontent.com/u/13222196?v=4)](https://github.com/rasodu "rasodu (9 commits)")[![kenguest](https://avatars.githubusercontent.com/u/234118?v=4)](https://github.com/kenguest "kenguest (7 commits)")[![morcs](https://avatars.githubusercontent.com/u/555420?v=4)](https://github.com/morcs "morcs (6 commits)")[![mcouillard](https://avatars.githubusercontent.com/u/18841?v=4)](https://github.com/mcouillard "mcouillard (5 commits)")[![baru](https://avatars.githubusercontent.com/u/688602?v=4)](https://github.com/baru "baru (5 commits)")[![jdreed](https://avatars.githubusercontent.com/u/4193101?v=4)](https://github.com/jdreed "jdreed (5 commits)")[![guss77](https://avatars.githubusercontent.com/u/381782?v=4)](https://github.com/guss77 "guss77 (5 commits)")[![corentingi](https://avatars.githubusercontent.com/u/3458976?v=4)](https://github.com/corentingi "corentingi (4 commits)")[![nikosev](https://avatars.githubusercontent.com/u/29930145?v=4)](https://github.com/nikosev "nikosev (4 commits)")[![freddieleeman](https://avatars.githubusercontent.com/u/6225998?v=4)](https://github.com/freddieleeman "freddieleeman (4 commits)")[![kastoras](https://avatars.githubusercontent.com/u/16106654?v=4)](https://github.com/kastoras "kastoras (4 commits)")[![stijnster](https://avatars.githubusercontent.com/u/27271?v=4)](https://github.com/stijnster "stijnster (3 commits)")[![bobvandevijver](https://avatars.githubusercontent.com/u/1835343?v=4)](https://github.com/bobvandevijver "bobvandevijver (3 commits)")[![capile](https://avatars.githubusercontent.com/u/3648974?v=4)](https://github.com/capile "capile (3 commits)") ### Embed Badge ![Health badge](/badges/mperusso-openid-connect-php/health.svg) ``` [![Health](https://phpackages.com/badges/mperusso-openid-connect-php/health.svg)](https://phpackages.com/packages/mperusso-openid-connect-php) ``` ### Alternatives [jumbojett/openid-connect-php Bare-bones OpenID Connect client 7169.8M38](/packages/jumbojett-openid-connect-php)[azimolabs/apple-sign-in-php-sdk Library to verify and validate Apple IdentityToken and authenticate a user with Apple ID. 92463.9k](/packages/azimolabs-apple-sign-in-php-sdk)[strobotti/php-jwk A small PHP library to handle JWKs (Json Web Keys) 24880.8k7](/packages/strobotti-php-jwk)[clerkinc/backend-php 2755.0k](/packages/clerkinc-backend-php)[jakub-onderka/openid-connect-php Bare-bones OpenID Connect client 1151.4k](/packages/jakub-onderka-openid-connect-php)[laranex/laravel-biometric-auth A laravel package to provide asymmetric biometric authentication 106.0k](/packages/laranex-laravel-biometric-auth) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)