PHPackages                             pmg/assertion-grant - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. pmg/assertion-grant

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

pmg/assertion-grant
===================

An implemenation of the assertion authorization grant flows from RFC7521

v0.6.0(3mo ago)04.9k[1 issues](https://github.com/AgencyPMG/league-oauth2-server-assertion-grant/issues)MITPHPPHP ^8.4CI passing

Since Nov 17Pushed 3mo ago13 watchersCompare

[ Source](https://github.com/AgencyPMG/league-oauth2-server-assertion-grant)[ Packagist](https://packagist.org/packages/pmg/assertion-grant)[ RSS](/packages/pmg-assertion-grant/feed)WikiDiscussions main Synced yesterday

READMEChangelog (2)Dependencies (16)Versions (10)Used By (0)

League OAuth2 Server Assertion Grant
====================================

[](#league-oauth2-server-assertion-grant)

This implements the `assertion` grants described in RFC 7521. The goal is to be flexible enough to support JWT (RFC 7523) or SAML (RFC 7522) assertions.

This was inspired by some needs that PMG's [https://www.pmg.com/alli](Alli)platform had as well as some prior art from [from google](https://developers.google.com/identity/protocols/oauth2/service-account).

Client Authentication
---------------------

[](#client-authentication)

RFCs 7523 and 7522 are opened ended about this:

```
JWT authorization grants may be used with or without client
authentication or identification.  Whether or not client
authentication is needed in conjunction with a JWT authorization
grant, as well as the supported types of client authentication, are
policy decisions at the discretion of the authorization server.
However, if client credentials are present in the request, the
authorization server MUST validate them.

```

If the `client_id` is present in the request (in the `Authorization` header of request body), then the normal client validation methods are used. If a client is confidential, client secret would be required.

If `client_id` is not present, then the the assertion issuer is treated as the oauth client ID.

Scopes
------

[](#scopes)

`scope` may be sent in as a normal request parameter, but RFC 7521 has this to say:

```
The requested scope as described in Section 3.3 of
OAuth 2.0 [RFC6749].  When exchanging assertions for access
tokens, the authorization for the token has been previously
granted through some out-of-band mechanism.  As such, the
requested scope MUST be equal to or less than the scope originally
granted to the authorized accessor.  The authorization server MUST
limit the scope of the issued access token to be equal to or less
than the scope originally granted to the authorized accessor.

```

So somehow the assertion is made valid out of band. The assertion backend returns an `Assertion` implementation which has allowed scopes.

If a caller tries to request scopes outside of the assertion's allowed scopes, an error will be returned.

Assertion Issuers
-----------------

[](#assertion-issuers)

Assertion issuers are treated as oauth client identifiers.

Assertion Subjects
------------------

[](#assertion-subjects)

Assertion subjects are treated as user identifiers in this library. No accomodations for client credentials as that would be better suited for the `client_credentials` grant with a `client_assertion` system.

###  Health Score

46

—

FairBetter than 92% of packages

Maintenance80

Actively maintained with recent releases

Popularity22

Limited adoption so far

Community12

Small or concentrated contributor base

Maturity60

Established project with proven stability

 Bus Factor1

Top contributor holds 54.3% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~243 days

Total

6

Last Release

107d ago

PHP version history (2 changes)v0.3.0PHP ^8.3

v0.6.0PHP ^8.4

### Community

Maintainers

![](https://www.gravatar.com/avatar/d396af79150164dd4d28f3e816b377e2f3c04df431d8338477517efa0013664c?d=identicon)[chrisguitarguy](/maintainers/chrisguitarguy)

---

Top Contributors

[![chrisguitarguy](https://avatars.githubusercontent.com/u/1010392?v=4)](https://github.com/chrisguitarguy "chrisguitarguy (19 commits)")[![jrughani9](https://avatars.githubusercontent.com/u/108751272?v=4)](https://github.com/jrughani9 "jrughani9 (16 commits)")

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/pmg-assertion-grant/health.svg)

```
[![Health](https://phpackages.com/badges/pmg-assertion-grant/health.svg)](https://phpackages.com/packages/pmg-assertion-grant)
```

###  Alternatives

[shopware/platform

The Shopware e-commerce core

3.4k1.5M3](/packages/shopware-platform)[prestashop/prestashop

PrestaShop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers.

9.1k17.8k](/packages/prestashop-prestashop)[shopware/core

Shopware platform is the core for all Shopware ecommerce products.

585.6M574](/packages/shopware-core)[jeremy379/laravel-openid-connect

OpenID Connect support to the PHP League's OAuth2 Server. Compatible with Laravel Passport.

59437.0k9](/packages/jeremy379-laravel-openid-connect)[php-open-source-saver/jwt-auth

JSON Web Token Authentication for Laravel and Lumen

84611.1M63](/packages/php-open-source-saver-jwt-auth)[simplesamlphp/simplesamlphp-module-oidc

A SimpleSAMLphp module adding support for the OpenID Connect protocol

5018.2k1](/packages/simplesamlphp-simplesamlphp-module-oidc)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
