PHPackages phpway/one-auth-server - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. phpway/one-auth-server ActiveLibrary[Authentication & Authorization](/categories/authentication) phpway/one-auth-server ====================== Simple OAuth2 server implementation with limited functionality designed for Single Page Applications 0.9.4(1y ago)018MITPHPPHP ^7.4 || ^8.0 Since May 31Pushed 1y ago1 watchersCompare [ Source](https://github.com/phpway/OneAuth-Server)[ Packagist](https://packagist.org/packages/phpway/one-auth-server)[ RSS](/packages/phpway-one-auth-server/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (2)Versions (6)Used By (0) OneAuth Server ============== [](#oneauth-server) OneAuth server is very simple OAuth2 server implementation with limited functionality specifically designed for authenticating single page applications (SPA) according to the workflow described below with exclusive use of reference tokens only. If you need a fully-featured OAuth2 server implementation, you can look up the official OAuth page . Features -------- [](#features) At the moment, OneAuth server provides 3 controllers: - **`AuthorizeController`** - handle requests for obtaining the `Authorization Code` which is one-time use, short-lived random code to be used by SPA for obtaining the `Access Token`. - **`TokenController`** - handle requests for obtaining the `Access Token`. - **`ResourceController`** - to verify API requests. Request data required for each controller together with response details are described in the workflow below. Since OneAuth server is designed for authenticating SPAs, all communication between OneAuth server and the client app is transparent to the user (either via url search params, or via sending form data in POST requests), meaning there is no back channel for exchanging data between these two entities. Thus, there is no `client secret` in the workflow as the SPA has no mechanism to hide it. But it uses PKCE protection that requires the client app sending `code verifier` (random string) hash in the initial request for the authorization code, and then sending code verifier in plain text when exchanging this authorization code for the access token. PSR-7 Request / Response ------------------------ [](#psr-7-request--response) OneAuth server uses [PSR-7](https://www.php-fig.org/psr/psr-7/) compatible request and response objects for handling requests to obtain authorization codes and/or access tokens. Thus, you will need to provide a PSR-7 implementation that best fits your application. Here are few options you can choose from: - [Slim-Psr7](https://github.com/slimphp/Slim-Psr7) - Slim Framework PSR-7 implementation - [httpsoft/http-message](https://github.com/httpsoft/http-message) & [httpsoft/http-server-request](https://github.com/httpsoft/http-server-request) - Fast, strict and lightweight implementation To send the response to the client, you will also need to implement a response emitter, or use an existing one (for example [ResponseEmitter.php](https://github.com/slimphp/Slim/blob/4.x/Slim/ResponseEmitter.php) from the Slim framework). SPA Workflow ------------ [](#spa-workflow) [![SPA workflow diagram](/assets/OneAuth_workflow.png)](/assets/OneAuth_workflow.png) TODOs ----- [](#todos) - Add resource controller for protecting APIs - Recognize token in headers - Recognize token in GET - Recognize token in POST - Implement revoking tokens - Individual token - All for given user - Add functionality for refresh tokens ### Health Score 25 — LowBetter than 37% of packages Maintenance38 Infrequent updates — may be unmaintained Popularity7 Limited adoption so far Community9 Small or concentrated contributor base Maturity39 Early-stage or recently created project Bus Factor1 Top contributor holds 77.4% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~21 days Total 5 Last Release 633d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/f55e4f10daf85a54e4dc6e6841e85ceeae88f61c86c6ffaed404070f118af767?d=identicon)[phpway](/maintainers/phpway) --- Top Contributors [![phpway](https://avatars.githubusercontent.com/u/10482389?v=4)](https://github.com/phpway "phpway (24 commits)")[![phavlik](https://avatars.githubusercontent.com/u/25110476?v=4)](https://github.com/phavlik "phavlik (7 commits)") --- Tags oauth2SPAone-auth ### Embed Badge ![Health badge](/badges/phpway-one-auth-server/health.svg) ``` [![Health](https://phpackages.com/badges/phpway-one-auth-server/health.svg)](https://phpackages.com/packages/phpway-one-auth-server) ``` ### Alternatives [league/oauth2-server A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API. 6.6k136.0M248](/packages/league-oauth2-server)[google/auth Google Auth Library for PHP 1.4k272.7M162](/packages/google-auth)[facile-it/php-openid-client OpenID (OIDC) Client 42592.7k7](/packages/facile-it-php-openid-client)[chadicus/slim-oauth2-middleware OAuth2 middleware for use within a Slim Framework API 48411.9k1](/packages/chadicus-slim-oauth2-middleware) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)