PHPackages                             private-packagist/oidc-identities - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. private-packagist/oidc-identities

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

private-packagist/oidc-identities
=================================

Create OIDC tokens on different platforms

1.0.1(11mo ago)014.8k↓44.5%1MITPHPPHP ^7.2.5 || ^8.0CI passing

Since Jul 22Pushed 3w agoCompare

[ Source](https://github.com/packagist/oidc-identities)[ Packagist](https://packagist.org/packages/private-packagist/oidc-identities)[ RSS](/packages/private-packagist-oidc-identities/feed)WikiDiscussions main Synced 2d ago

READMEChangelog (2)Dependencies (13)Versions (6)Used By (1)

private-packagist/oidc-identities
=================================

[](#private-packagistoidc-identities)

A PHP library that obtains [OpenID Connect (OIDC)](https://openid.net/connect/)ID tokens from the CI/CD platform it is running on.

Modern CI/CD platforms can issue short-lived, signed OIDC tokens that prove the identity of the running workflow (which repository, which workflow, which branch, etc.). These tokens can be exchanged for credentials with a service that trusts the platform's OIDC provider — removing the need to store long-lived secrets in your CI configuration. This library handles the platform-specific work of detecting the environment and requesting such a token, then hands you back the parsed result.

Requirements
------------

[](#requirements)

PHP &gt;= 7.2.5

The library relies on [HTTPlug](https://httplug.io/) / PSR-18 discovery, so you also need a PSR-18 HTTP client and PSR-17 factories available in your project (for example `symfony/http-client` and `nyholm/psr7`).

Install
-------

[](#install)

Via Composer:

```
$ composer require private-packagist/oidc-identities
```

Supported platforms
-------------------

[](#supported-platforms)

PlatformDetected viaGitHub Actions`GITHUB_ACTIONS` env varThe `TokenGenerator` tries each supported platform in turn and uses the first one that reports it is the current environment. When none of them match — for example when running locally — `generate()` returns `null`.

What is the `TokenGenerator`?
-----------------------------

[](#what-is-the-tokengenerator)

`TokenGenerator` is the main entry point of the library. You give it an `$audience`(the identifier of the service that will consume the token, e.g. Private Packagist), and it:

1. Detects which supported platform the code is currently running on.
2. Performs the platform-specific request to mint an OIDC ID token for that audience.
3. Returns a `Token` value object containing the raw JWT together with its decoded `header`, `payload` and `signature` parts.

You would use it whenever your code runs inside a CI/CD pipeline and needs to prove its identity to an external service via OIDC, instead of relying on a stored secret. Because it abstracts away the per-platform details, the same call works on any supported platform without branching in your own code.

Usage
-----

[](#usage)

Initiate a `TokenGenerator` instance and call the `generate` method with `$audience`. The `TokenGenerator` will automatically try all supported platforms and return a `Token` for the first matching one, or `null` if the current environment is not supported.

```
use Http\Client\Common\HttpMethodsClient;
use Http\Discovery\Psr17FactoryDiscovery;
use Http\Discovery\Psr18ClientDiscovery;
use PrivatePackagist\OIDC\Identities\TokenGenerator;
use Psr\Log\NullLogger;

// Configure a HttpMethodsClient instance
$oidcHttpClient = new HttpMethodsClient(
    Psr18ClientDiscovery::find(),
    Psr17FactoryDiscovery::findRequestFactory(),
    Psr17FactoryDiscovery::findStreamFactory(),
);

$tokenGenerator = new TokenGenerator(new NullLogger(), $oidcHttpClient);
$token = $tokenGenerator->generate($audience);

if ($token === null) {
    // Not running on a supported platform, or no OIDC token available.
    return;
}

// $token->token     — the raw JWT string
// $token->header    — decoded header
// $token->payload   — decoded payload
// $token->signature — the signature part
```

The constructor also accepts any PSR-3 `LoggerInterface`; pass a real logger instead of `NullLogger` to get debug output about platform detection and the token request.

Copyright and License
---------------------

[](#copyright-and-license)

The library is licensed under the MIT License.

###  Health Score

43

—

FairBetter than 89% of packages

Maintenance76

Regular maintenance activity

Popularity26

Limited adoption so far

Community15

Small or concentrated contributor base

Maturity45

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 60% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~9 days

Total

2

Last Release

338d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/2969e5fd81aa79b482a247226409a0b55ed82c4587d40264633425b6b4a22a21?d=identicon)[glaubinix](/maintainers/glaubinix)

---

Top Contributors

[![glaubinix](https://avatars.githubusercontent.com/u/442056?v=4)](https://github.com/glaubinix "glaubinix (6 commits)")[![pscheit](https://avatars.githubusercontent.com/u/488189?v=4)](https://github.com/pscheit "pscheit (3 commits)")[![stevenrombauts](https://avatars.githubusercontent.com/u/77368?v=4)](https://github.com/stevenrombauts "stevenrombauts (1 commits)")

---

Tags

OpenID Connectoidcidentities

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/private-packagist-oidc-identities/health.svg)

```
[![Health](https://phpackages.com/badges/private-packagist-oidc-identities/health.svg)](https://phpackages.com/packages/private-packagist-oidc-identities)
```

###  Alternatives

[matomo/matomo

Matomo is the leading Free/Libre open analytics platform

21.7k38.9k](/packages/matomo-matomo)[drenso/symfony-oidc-bundle

OpenID connect bundle for Symfony

95753.5k3](/packages/drenso-symfony-oidc-bundle)[web-auth/webauthn-lib

FIDO2/Webauthn Support For PHP

12310.5M135](/packages/web-auth-webauthn-lib)[web-auth/webauthn-framework

FIDO2/Webauthn library for PHP and Symfony Bundle.

515100.5k3](/packages/web-auth-webauthn-framework)[simplesamlphp/simplesamlphp-module-oidc

A SimpleSAMLphp module adding support for the OpenID Connect protocol

5018.2k1](/packages/simplesamlphp-simplesamlphp-module-oidc)[ekapusta/oauth2-esia

Allows to authenticate in ESIA and get authenticated individual personal information.

74195.7k1](/packages/ekapusta-oauth2-esia)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
