PHPackages simonweissdivae/php-openid-client - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. simonweissdivae/php-openid-client ActiveLibrary[Authentication & Authorization](/categories/authentication) simonweissdivae/php-openid-client ================================= OpenID (OIDC) Client 0.3.0(3y ago)07.8kMITPHPPHP ^7.4 || ^8.0 Since Apr 16Pushed 3y agoCompare [ Source](https://github.com/simonweissdivae/php-openid-client)[ Packagist](https://packagist.org/packages/simonweissdivae/php-openid-client)[ RSS](/packages/simonweissdivae-php-openid-client/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (45)Versions (17)Used By (0) php-openid-client ================= [](#php-openid-client) Full OpenID client implementation. [![Latest Stable Version](https://camo.githubusercontent.com/22fa9b77e0ef733bd168d7390871129b3755e69c0ed102ad505ea3a442215908/68747470733a2f2f706f7365722e707567782e6f72672f666163696c652d69742f7068702d6f70656e69642d636c69656e742f762f737461626c65)](https://packagist.org/packages/facile-it/php-openid-client)[![Total Downloads](https://camo.githubusercontent.com/d5e8340998977793cf08d3ade422ce33b56d86aebb3ba3511e8bf4af3ed4a123/68747470733a2f2f706f7365722e707567782e6f72672f666163696c652d69742f7068702d6f70656e69642d636c69656e742f646f776e6c6f616473)](https://packagist.org/packages/facile-it/php-openid-client)[![License](https://camo.githubusercontent.com/2836d56a31367d190bf6b0ce6087a8dea8b3774b45176e53ba125ffe064c8040/68747470733a2f2f706f7365722e707567782e6f72672f666163696c652d69742f7068702d6f70656e69642d636c69656e742f6c6963656e7365)](https://packagist.org/packages/facile-it/php-openid-client)[![codecov](https://camo.githubusercontent.com/bdc30b831212a968ccac7c07c9dd69d6facf2de84641a036c5eb60172bf5543e/68747470733a2f2f636f6465636f762e696f2f67682f666163696c652d69742f7068702d6f70656e69642d636c69656e742f6272616e63682f6d61737465722f67726170682f62616467652e7376673f746f6b656e3d54353953303244324b4d)](https://codecov.io/gh/facile-it/php-openid-client)[![Build Status](https://github.com/facile-it/php-openid-client/workflows/Continuous%20Integration/badge.svg?branch=master)](https://github.com/facile-it/php-openid-client/actions) Most of the library code is based on the awesome [`node-openid-client`](https://github.com/panva/node-openid-client). **The PHP extension `gmp` could be required.** Implemented specs and features ------------------------------ [](#implemented-specs-and-features) - [OAuth 2.0 RFC 6749](https://tools.ietf.org/html/rfc6749) & [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) - Authorization (Authorization Code Flow, Implicit Flow, Hybrid Flow) - UserInfo Endpoint and ID Tokens including Signing and Encryption (using the [JWT Framework](https://github.com/web-token/jwt-framework) library) - Passing a Request Object by Value or Reference including Signing and Encryption - Offline Access / Refresh Token Grant - Client Credentials Grant - Client Authentication incl. `client_secret_jwt` and `private_key_jwt` methods - [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) - [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) and [RFC7591 OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591) - [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) - [RFC7009 - OAuth 2.0 Token Revocation](https://tools.ietf.org/html/rfc7009) - [RFC7662 - OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) - [RFC7592 - OAuth 2.0 Dynamic Client Registration Management Protocol](https://tools.ietf.org/html/rfc7592) ### Supports of the following draft specifications [](#supports-of-the-following-draft-specifications) - [JWT Response for OAuth Token Introspection - draft 03](https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-03) - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - draft 02](https://openid.net/specs/openid-financial-api-jarm-wd-02.html) - [OAuth 2.0 JWT Secured Authorization Request (JAR)](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19) - [OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (MTLS) - draft 15](https://tools.ietf.org/html/draft-ietf-oauth-mtls-15) Installation ------------ [](#installation) Requirements: - `psr/http-client-implementation` implementation - `psr/http-factory-implementation` implementation - `psr/http-message-implementation` implementation ``` composer require facile-it/php-openid-client ``` `RSA` signing algorithms are already included from the JWT Framework package`. If you need other algorithms you should install it manually. Basic Usage ----------- [](#basic-usage) For a basic usage you shouldn't require any other dependency package. Every builder have methods to customize instances with other dependencies. ``` use Facile\OpenIDClient\Client\ClientBuilder; use Facile\OpenIDClient\Issuer\IssuerBuilder; use Facile\OpenIDClient\Client\Metadata\ClientMetadata; use Facile\OpenIDClient\Service\Builder\AuthorizationServiceBuilder; use Facile\OpenIDClient\Service\Builder\UserInfoServiceBuilder; use Psr\Http\Message\ServerRequestInterface; $issuer = (new IssuerBuilder()) ->build('https://example.com/.well-known/openid-configuration'); $clientMetadata = ClientMetadata::fromArray([ 'client_id' => 'client-id', 'client_secret' => 'my-client-secret', 'token_endpoint_auth_method' => 'client_secret_basic', // the auth method tor the token endpoint 'redirect_uris' => [ 'https://my-rp.com/callback', ], ]); $client = (new ClientBuilder()) ->setIssuer($issuer) ->setClientMetadata($clientMetadata) ->build(); // Authorization $authorizationService = (new AuthorizationServiceBuilder())->build(); $redirectAuthorizationUri = $authorizationService->getAuthorizationUri( $client, ['login_hint' => 'user_username'] // custom params ); // you can use this uri to redirect the user // Get access token /** @var ServerRequestInterface::class $serverRequest */ $serverRequest = null; // get your server request $callbackParams = $authorizationService->getCallbackParams($serverRequest, $client); $tokenSet = $authorizationService->callback($client, $callbackParams); $idToken = $tokenSet->getIdToken(); // Unencrypted id_token $accessToken = $tokenSet->getAccessToken(); // Access token $refreshToken = $tokenSet->getRefreshToken(); // Refresh token // check if we have an authenticated user if ($idToken) { $claims = $tokenSet->claims(); // IdToken claims } else { throw new \RuntimeException('Unauthorized') } // Refresh token $tokenSet = $authorizationService->refresh($client, $tokenSet->getRefreshToken()); // Get user info $userInfoService = (new UserInfoServiceBuilder())->build(); $userInfo = $userInfoService->getUserInfo($client, $tokenSet); ``` Client registration ------------------- [](#client-registration) See [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)and [RFC7591 OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591). ``` use Facile\OpenIDClient\Service\Builder\RegistrationServiceBuilder; $registration = (new RegistrationServiceBuilder())->build(); // registration $metadata = $registration->register( $issuer, [ 'client_name' => 'My client name', 'redirect_uris' => ['https://my-rp.com/callback'], ], 'my-initial-token' ); // read $metadata = $registration->read($metadata['registration_client_uri'], $metadata['registration_access_token']); // update $metadata = $registration->update( $metadata['registration_client_uri'], $metadata['registration_access_token'], array_merge($metadata, [ // new metadata ]) ); // delete $registration->delete($metadata['registration_client_uri'], $metadata['registration_access_token']); ``` Token Introspection ------------------- [](#token-introspection) See [RFC7662 - OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662). ``` use Facile\OpenIDClient\Service\Builder\IntrospectionServiceBuilder; $service = (new IntrospectionServiceBuilder())->build(); $params = $service->introspect($client, $token); ``` Token Revocation ---------------- [](#token-revocation) See [RFC7009 - OAuth 2.0 Token Revocation](https://tools.ietf.org/html/rfc7009). ``` use Facile\OpenIDClient\Service\Builder\RevocationServiceBuilder; $service = (new RevocationServiceBuilder())->build(); $params = $service->revoke($client, $token); ``` Request Object -------------- [](#request-object) You can create a [request object](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) authorization request with the `Facile\OpenIDClient\RequestObject\RequestObjectFactory` class. This will create a signed (and optionally encrypted) JWT token based on your client metadata. ``` use Facile\OpenIDClient\RequestObject\RequestObjectFactory; $factory = new RequestObjectFactory(); $requestObject = $factory->create($client, [/* custom claims to include in the JWT*/]); ``` Then you can use it to create the AuthRequest: ``` use Facile\OpenIDClient\Authorization\AuthRequest; $authRequest = AuthRequest::fromParams([ 'client_id' => $client->getMetadata()->getClientId(), 'redirect_uri' => $client->getMetadata()->getRedirectUris()[0], 'request' => $requestObject, ]); ``` Aggregated and Distributed Claims --------------------------------- [](#aggregated-and-distributed-claims) The library can handle [aggregated and distributed claims](https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims): ``` use Facile\OpenIDClient\Claims\AggregateParser; use Facile\OpenIDClient\Claims\DistributedParser; $aggregatedParser = new AggregateParser(); $claims = $aggregatedParser->unpack($client, $userInfo); $distributedParser = new DistributedParser(); $claims = $distributedParser->fetch($client, $userInfo); ``` Using middlewares ----------------- [](#using-middlewares) There are some middlewares and handles available: ### SessionCookieMiddleware [](#sessioncookiemiddleware) This middleware should always be on top of middlewares chain to provide a session for `state` and `nonce` parameters. To use it you should install the `dflydev/fig-cookies` package: ``` $ composer require "dflydev/fig-cookies:^2.0" ``` ``` use Facile\OpenIDClient\Middleware\SessionCookieMiddleware; use Psr\SimpleCache\CacheInterface; // Use your PSR-16 simple-cache implementation to persist sessions /** @var CacheInterface $cache */ $middleware = new SessionCookieMiddleware($cache/* , $cookieName = "openid", $ttl = 300 */); ``` The middleware provides a `Facile\OpenIDClient\Session\AuthSessionInterface`attribute with an `Facile\OpenIDClient\Session\AuthSessionInterface` stateful instance used to persist session data. #### Using another session storage [](#using-another-session-storage) If you have another session storage, you can handle it and provide a `Facile\OpenIDClient\Session\AuthSessionInterface` instance in the `Facile\OpenIDClient\Session\AuthSessionInterface` attribute. ### ClientProviderMiddleware [](#clientprovidermiddleware) This middleware should always be on top of middlewares chain to provide the client to the other middlewares. ``` use Facile\OpenIDClient\Middleware\ClientProviderMiddleware; $client = $container->get('openid.clients.default'); $middleware = new ClientProviderMiddleware($client); ``` ### AuthRequestProviderMiddleware [](#authrequestprovidermiddleware) This middleware provide the auth request to use with the `AuthRedirectHandler`. ``` use Facile\OpenIDClient\Middleware\AuthRequestProviderMiddleware; use Facile\OpenIDClient\Authorization\AuthRequest; $authRequest = AuthRequest::fromParams([ 'scope' => 'openid', // other params... ]); $middleware = new AuthRequestProviderMiddleware($authRequest); ``` ### AuthRedirectHandler [](#authredirecthandler) This handler will redirect the user to the OpenID authorization page. ``` use Facile\OpenIDClient\Middleware\AuthRedirectHandler; use Facile\OpenIDClient\Service\AuthorizationService; /** @var AuthorizationService $authorizationService */ $authorizationService = $container->get(AuthorizationService::class); $middleware = new AuthRedirectHandler($authorizationService); ``` ### CallbackMiddleware [](#callbackmiddleware) This middleware will handle the callback from the OpenID provider. It will provide a `Facile\OpenIDClient\Token\TokenSetInterface` attribute with the final TokenSet object. ``` use Facile\OpenIDClient\Middleware\CallbackMiddleware; use Facile\OpenIDClient\Service\AuthorizationService; /** @var AuthorizationService $authorizationService */ $authorizationService = $container->get(AuthorizationService::class); $middleware = new CallbackMiddleware($authorizationService); ``` ### UserInfoMiddleware [](#userinfomiddleware) This middleware will fetch user data from the userinfo endpoint and will provide an `Facile\OpenIDClient\Middleware\UserInfoMiddleware` attribute with user infos as array. ``` use Facile\OpenIDClient\Middleware\UserInfoMiddleware; use Facile\OpenIDClient\Service\UserInfoService; /** @var UserInfoService $userInfoService */ $userInfoService = $container->get(UserInfoService::class); $middleware = new UserInfoMiddleware($userInfoService); ``` Performance improvements for production environment --------------------------------------------------- [](#performance-improvements-for-production-environment) It's important to use a cache to avoid to fetch issuer configuration and keys on every request. ``` use Psr\SimpleCache\CacheInterface; use Facile\OpenIDClient\Issuer\IssuerBuilder; use Facile\OpenIDClient\Issuer\Metadata\Provider\MetadataProviderBuilder; use Facile\JoseVerifier\JWK\JwksProviderBuilder; /** @var CacheInterface $cache */ $cache = $container->get(CacheInterface::class); // get your simple-cache implementation $metadataProviderBuilder = (new MetadataProviderBuilder()) ->setCache($cache) ->setCacheTtl(86400*30); // Cache metadata for 30 days $jwksProviderBuilder = (new JwksProviderBuilder()) ->setCache($cache) ->setCacheTtl(86400); // Cache JWKS for 1 day $issuerBuilder = (new IssuerBuilder()) ->setMetadataProviderBuilder($metadataProviderBuilder) ->setJwksProviderBuilder($jwksProviderBuilder); $issuer = $issuerBuilder->build('https://example.com/.well-known/openid-configuration'); ``` Using Psalm ----------- [](#using-psalm) If you need to use Psalm you can include the plugin in your `psalm.xml`. ``` ``` ### Health Score 29 — LowBetter than 59% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity18 Limited adoption so far Community9 Small or concentrated contributor base Maturity59 Maturing project, gaining track record Bus Factor1 Top contributor holds 70.9% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~68 days Total 14 Last Release 1326d ago PHP version history (3 changes)0.1.0PHP ^7.2 0.2.0-beta2PHP ^7.2 || ^8.0 0.3.0PHP ^7.4 || ^8.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/2087d21f4ca22772276c68fffc76fe9098aaf23dfebd111b16deb4b02e4307f1?d=identicon)[simon.weiss](/maintainers/simon.weiss) --- Top Contributors [![thomasvargiu](https://avatars.githubusercontent.com/u/732012?v=4)](https://github.com/thomasvargiu "thomasvargiu (39 commits)")[![drupol](https://avatars.githubusercontent.com/u/252042?v=4)](https://github.com/drupol "drupol (10 commits)")[![simonweissdivae](https://avatars.githubusercontent.com/u/95684478?v=4)](https://github.com/simonweissdivae "simonweissdivae (6 commits)") --- Tags Authenticationtokenidentityoauth2OpenIdOpenID Connectoidc ### Code Quality TestsPHPUnit Static AnalysisPsalm Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/simonweissdivae-php-openid-client/health.svg) ``` [![Health](https://phpackages.com/badges/simonweissdivae-php-openid-client/health.svg)](https://phpackages.com/packages/simonweissdivae-php-openid-client) ``` ### Alternatives [facile-it/php-openid-client OpenID (OIDC) Client 42592.7k7](/packages/facile-it-php-openid-client)[opensearch-project/opensearch-php PHP Client for OpenSearch 15024.3M65](/packages/opensearch-project-opensearch-php)[phpro/http-tools HTTP tools for developing more consistent HTTP implementations. 28137.8k](/packages/phpro-http-tools)[auth0/auth0-php PHP SDK for Auth0 Authentication and Management APIs. 40820.2M68](/packages/auth0-auth0-php)[getbrevo/brevo-php Official Brevo provided RESTFul API V3 php library 963.1M35](/packages/getbrevo-brevo-php)[swisnl/json-api-client A PHP package for mapping remote JSON:API resources to Eloquent like models and collections. 211473.2k12](/packages/swisnl-json-api-client) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)