PHPackages pmg/assertion-grant - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. pmg/assertion-grant ActiveLibrary[Authentication & Authorization](/categories/authentication) pmg/assertion-grant =================== An implemenation of the assertion authorization grant flows from RFC7521 v0.6.0(2mo ago)04.5k[1 issues](https://github.com/AgencyPMG/league-oauth2-server-assertion-grant/issues)MITPHPPHP ^8.4CI passing Since Nov 17Pushed 2mo ago13 watchersCompare [ Source](https://github.com/AgencyPMG/league-oauth2-server-assertion-grant)[ Packagist](https://packagist.org/packages/pmg/assertion-grant)[ RSS](/packages/pmg-assertion-grant/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (2)Dependencies (16)Versions (10)Used By (0) League OAuth2 Server Assertion Grant ==================================== [](#league-oauth2-server-assertion-grant) This implements the `assertion` grants described in RFC 7521. The goal is to be flexible enough to support JWT (RFC 7523) or SAML (RFC 7522) assertions. This was inspired by some needs that PMG's [https://www.pmg.com/alli](Alli)platform had as well as some prior art from [from google](https://developers.google.com/identity/protocols/oauth2/service-account). Client Authentication --------------------- [](#client-authentication) RFCs 7523 and 7522 are opened ended about this: ``` JWT authorization grants may be used with or without client authentication or identification. Whether or not client authentication is needed in conjunction with a JWT authorization grant, as well as the supported types of client authentication, are policy decisions at the discretion of the authorization server. However, if client credentials are present in the request, the authorization server MUST validate them. ``` If the `client_id` is present in the request (in the `Authorization` header of request body), then the normal client validation methods are used. If a client is confidential, client secret would be required. If `client_id` is not present, then the the assertion issuer is treated as the oauth client ID. Scopes ------ [](#scopes) `scope` may be sent in as a normal request parameter, but RFC 7521 has this to say: ``` The requested scope as described in Section 3.3 of OAuth 2.0 [RFC6749]. When exchanging assertions for access tokens, the authorization for the token has been previously granted through some out-of-band mechanism. As such, the requested scope MUST be equal to or less than the scope originally granted to the authorized accessor. The authorization server MUST limit the scope of the issued access token to be equal to or less than the scope originally granted to the authorized accessor. ``` So somehow the assertion is made valid out of band. The assertion backend returns an `Assertion` implementation which has allowed scopes. If a caller tries to request scopes outside of the assertion's allowed scopes, an error will be returned. Assertion Issuers ----------------- [](#assertion-issuers) Assertion issuers are treated as oauth client identifiers. Assertion Subjects ------------------ [](#assertion-subjects) Assertion subjects are treated as user identifiers in this library. No accomodations for client credentials as that would be better suited for the `client_credentials` grant with a `client_assertion` system. ### Health Score 48 — FairBetter than 95% of packages Maintenance88 Actively maintained with recent releases Popularity22 Limited adoption so far Community12 Small or concentrated contributor base Maturity59 Maturing project, gaining track record Bus Factor1 Top contributor holds 54.3% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~243 days Total 6 Last Release 61d ago PHP version history (2 changes)v0.3.0PHP ^8.3 v0.6.0PHP ^8.4 ### Community Maintainers ![](https://www.gravatar.com/avatar/d396af79150164dd4d28f3e816b377e2f3c04df431d8338477517efa0013664c?d=identicon)[chrisguitarguy](/maintainers/chrisguitarguy) --- Top Contributors [![chrisguitarguy](https://avatars.githubusercontent.com/u/1010392?v=4)](https://github.com/chrisguitarguy "chrisguitarguy (19 commits)")[![jrughani9](https://avatars.githubusercontent.com/u/108751272?v=4)](https://github.com/jrughani9 "jrughani9 (16 commits)") ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/pmg-assertion-grant/health.svg) ``` [![Health](https://phpackages.com/badges/pmg-assertion-grant/health.svg)](https://phpackages.com/packages/pmg-assertion-grant) ``` ### Alternatives [tymon/jwt-auth JSON Web Token Authentication for Laravel and Lumen 11.5k49.1M350](/packages/tymon-jwt-auth)[php-open-source-saver/jwt-auth JSON Web Token Authentication for Laravel and Lumen 8359.8M53](/packages/php-open-source-saver-jwt-auth)[steverhoades/oauth2-openid-connect-server An OpenID Connect Server that sites on The PHP League's OAuth2 Server 2097.8M12](/packages/steverhoades-oauth2-openid-connect-server)[scheb/2fa Two-factor authentication for Symfony applications (please use scheb/2fa-bundle to install) 578630.7k1](/packages/scheb-2fa)[jeremy379/laravel-openid-connect OpenID Connect support to the PHP League's OAuth2 Server. Compatible with Laravel Passport. 55342.3k2](/packages/jeremy379-laravel-openid-connect)[patrickbussmann/oauth2-apple Sign in with Apple OAuth 2.0 Client Provider for The PHP League OAuth2-Client 1132.5M6](/packages/patrickbussmann-oauth2-apple) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)