PHPackages taproot/indieauth - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. taproot/indieauth ActiveLibrary[Authentication & Authorization](/categories/authentication) taproot/indieauth ================= PHP PSR-7-compliant IndieAuth Server and Client implementation. v0.3.1(3y ago)20942[7 issues](https://github.com/Taproot/indieauth/issues)[1 PRs](https://github.com/Taproot/indieauth/pulls)1MITPHPPHP >= 7.3.0 Since Jun 24Pushed 1y ago4 watchersCompare [ Source](https://github.com/Taproot/indieauth)[ Packagist](https://packagist.org/packages/taproot/indieauth)[ RSS](/packages/taproot-indieauth/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependencies (11)Versions (7)Used By (1) taproot/indieauth ================= [](#taprootindieauth) [![Latest Stable Version](https://camo.githubusercontent.com/c727329a1d3651f39f851e9c825f671fe9806e0d7c681bdba27534c1b29051ac/687474703a2f2f706f7365722e707567782e6f72672f746170726f6f742f696e646965617574682f76)](https://packagist.org/packages/taproot/indieauth) [![](https://github.com/taproot/indieauth/actions/workflows/php.yml/badge.svg?branch=main)](https://github.com/Taproot/indieauth/actions/workflows/php.yml) [![License](https://camo.githubusercontent.com/c827a7df2031b9e5f9a087b9bf39d3cd083c25565a47c0b24862f7fe5505a999/687474703a2f2f706f7365722e707567782e6f72672f746170726f6f742f696e646965617574682f6c6963656e7365)](https://packagist.org/packages/taproot/indieauth) [![Total Downloads](https://camo.githubusercontent.com/7b06b731ddec4dfb66e220136bf02c095a54b2d3d75c05c2449db305ac14cb6f/687474703a2f2f706f7365722e707567782e6f72672f746170726f6f742f696e646965617574682f646f776e6c6f616473)](https://packagist.org/packages/taproot/indieauth) taproot/indieauth is a PSR-7-compatible IndieAuth server library. It allows you to quickly and easily turn your existing website into an IndieAuth Identity Provider, enabling you to log into websites using your domain, and to grant granular access to your website to external apps (e.g. to allow external apps to post to your site via micropub). It comes with sane defaults, but can be extensively customised. Quick Links ----------- [](#quick-links) - [IndieAuth Living Standard](https://indieauth.spec.indieweb.org/) - [API Documentation](https://taproot.github.io/indieauth/namespaces/taproot-indieauth.html) - [Code Coverage](https://taproot.github.io/indieauth/coverage/) - [Support Chatroom](https://chat.indieweb.org/dev/) (ping `barnaby` or ask one of the other friendly people there) Installation ------------ [](#installation) taproot/indieauth is currently tested against and compatible with PHP 7.3, 7.4, 8.0 and 8.1. Install taproot/indieauth using [composer](https://getcomposer.org/): ``` composer.phar require taproot/indieauth composer.phar install (or composer.phar update) ``` Versioned releases are GPG signed so you can verify that the code hasn’t been tampered with. ``` gpg --recv-keys 1C00430B19C6B426922FE534BEF8CE58118AD524 cd vendor/taproot/indieauth git tag -v v0.3.1 # Replace with the version you have installed ``` Usage ----- [](#usage) Typical minimal usage looks something like this: ``` // Somewhere in your app set-up code: $server = new Taproot\IndieAuth\Server([ // Your server’s issuer ID URL (see __construct() docs for more details) 'issuer' => 'https://example.com/', // A secret key, >= 64 characters long. 'secret' => YOUR_APP_INDIEAUTH_SECRET, // A path to store token data, or an object implementing TokenStorageInterface. 'tokenStorage' => '/../data/auth_tokens/', // An authentication callback function, which either returns data about the current user, // or redirects to/implements an authentication flow. 'authenticationHandler' => function (ServerRequestInterface $request, string $authenticationRedirect, ?string $normalizedMeUrl) { // If the request is authenticated, return an array with a `me` key containing the // canonical URL of the currently logged-in user. if ($userUrl = getLoggedInUserUrl($request)) { return ['me' => $userUrl]; } // Otherwise, redirect the user to a login page, ensuring that they will be redirected // back to the IndieAuth flow with query parameters intact once logged in. return new Response('302', ['Location' => 'https://example.com/login?next=' . urlencode($authenticationRedirect)]); } ]); // In your authorization endpoint route, which must not be CSRF-protected: return $server->handleAuthorizationEndpointRequest($request); // In your token endpoint route, which must not be CSRF-protected: return $server->handleTokenEndpointRequest($request); // In another route (e.g. a micropub route), to authenticate the request: // (assuming $bearerToken is a token parsed from an “Authorization: Bearer XXXXXX” header // or access_token property from a request body) if ($accessToken = $server->getAccessToken($bearerToken)) { // Request is authenticated as $accessToken['me'], and is allowed to // act according to the scopes listed in $accessToken['scope']. $scopes = explode(' ', $accessToken['scope']); } ``` IndieAuth clients require some discovery metadata to be able to discover relevant URLs and configuration details. Providing this discovery is currently out of the scope of taproot/indieauth (we might consider semi-automating the generation of the indieauth-metadata endpoint in the future), so please refer to the [Discovery section of the specification](https://indieauth.spec.indieweb.org/#discovery) for more information. Refer to the `__construct` documentation for further configuration options, and to [the documentation](https://taproot.github.io/indieauth/namespaces/taproot-indieauth.html) for both handling methods for further documentation about them, specifically: - [Taproot\\IndieAuth\\Server::\_\_construct()](https://taproot.github.io/indieauth/classes/Taproot-IndieAuth-Server.html#method___construct) for detailed information about how to configure your `Server` instance. - [Taproot\\IndieAuth\\Server::handleAuthorizationEndpointRequest()](https://taproot.github.io/indieauth/classes/Taproot-IndieAuth-Server.html#method_handleAuthorizationEndpointRequest) for an overview of exactly what happens during an authorization request (which is the bulk of what this library is for) - [Taproot\\IndieAuth\\Callback\\DefaultAuthorizationForm](https://taproot.github.io/indieauth/classes/Taproot-IndieAuth-Callback-DefaultAuthorizationForm.html) (and its [associated template](https://github.com/Taproot/indieauth/blob/main/templates/default_authorization_page.html.php)) for details about customising the default consent screen form. - [Taproot\\IndieAuth\\Callback\\SingleUserPasswordAuthenticationCallback](https://taproot.github.io/indieauth/classes/Taproot-IndieAuth-Callback-SingleUserPasswordAuthenticationCallback.html) for an example of how to implement an authentication callback, and it’s [corresponding template](https://github.com/Taproot/indieauth/blob/main/templates/single_user_password_authentication_form.html.php) for information on customising the template. - [Taproot\\IndieAuth\\Storage\\TokenStorageInterface](https://taproot.github.io/indieauth/classes/Taproot-IndieAuth-Storage-TokenStorageInterface.html) for details about implementing your own token storage - [Taproot\\IndieAuth\\Callback\\AuthorizationFormInterface](https://taproot.github.io/indieauth/classes/Taproot-IndieAuth-Callback-AuthorizationFormInterface.html) for infomation about implementing your own authorization form. ### Example Application [](#example-application) See the [taproot/micropub example app](https://github.com/Taproot/micropub-adapter/tree/main/example) for a working example of how to use taproot/indieauth. Contributing ------------ [](#contributing) If you have any questions about using this library, join the [indieweb dev chatroom](https://chat.indieweb.org/dev/), and ping `barnaby` or ask one of the other friendly people there. If you find a bug or problem with the library, or want to suggest a feature, please [create an issue](https://github.com/Taproot/indieauth/issues/new). If discussions lead to you wanting to submit a pull request, following this process, while not required, will increase the chances of it quickly being accepted: - Fork this repo to your own github account, and clone it to your development computer. - Run `./run_coverage.sh` and ensure that all tests pass — you’ll need XDebug for code coverage data. - If applicable, write failing regression tests e.g. for a bug you’re fixing. - Make your changes. - Run `./run_coverage.sh` and `open docs/coverage/index.html`. Make sure that the changes you made are covered by tests. taproot/indieauth had nearly 100% test coverage from version 0.1.0, and that number should never go down! - Run `./vendor/bin/psalm` and and fix any warnings it brings up. - Install and run `./phpDocumentor.phar` to regenerate the documentation if applicable. - Push your changes and submit the PR. Changelog --------- [](#changelog) ### v0.3.1 [](#v031) 2022-10-23 - Corrected Cache-Control headers, added CSP and X-Frame-Options headers to user-facing responses (#21) - Removed hard dependencies on nyholm/psr7 and webmozart/path-util (#20) - Allowed installation alongside mf2/mf2 ^0.5, added code for handling img+alt parsing of photos ### v0.3.0 [](#v030) 2022-10-21 Breaking changes: - various public members of classes are now protected and can only be configured on instantiation - `issuer` key is now semi-required in the Server config array (omitting it will result in a warning) Other changes: - Everywhere which previously accepted a custom template path now additionally supports a callable with the following signature (#18) ``` function (array $context): string ``` - Client ID web pages are now searched for matching h-x-app microformats in addition to h-app (#17) - If a valid author property is present on the client ID h-(x-)app, DefaultAuthorizationForm and its corresponding template make it available and present it (#16) - Improved documentation with internal links, better formatting - Allowed DoubleSubmitCookieCsrfMiddleware’s cookie path to be set to arbitrary values (not useful for internal IndieAuth use, but handy for reusing that code elsewhere) - DoubleSubmitCookieCsrfMiddleware adds a pre-rendered CSRF form element attribute to $request for convenience ### v0.2.2 [](#v022) 2022-10-03 - Allowed installation with psr/log v2 and v3 in addition to v1.1 ### v0.2.1 [](#v021) 2022-09-24 Added a migration script for updating FilesystemJsonStorage tokens from v0.1 to v0.2 format. Run it with: ``` php vendor/taproot/indieauth/bin/migrate.php ../path/to/your/json/token/storage/ ``` Normalized client\_id and redirect\_uri before validation and fetching, but stored and used the raw strings for comparison purposes (Fixes #12) ### v0.2.0 [](#v020) 2022-09-06 - Allow supporting older clients with response\_type=id (#3) - Changed FilesystemJsonStorage internal structure to better match terms used in OAuth (#5) - Allowed guzzle v2 (#7) - Improved authentication callback handling logic (#8) - Allowed . and ~ in plain text code challenge (#13) - No more hard fail if client\_id cannot be fetched (#14) - Improved styling of all default templates - Minor fixes, regenerated documentation ### v0.1.0 [](#v010) 2021-06-24 - Initial release ### Health Score 26 — LowBetter than 43% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity20 Limited adoption so far Community15 Small or concentrated contributor base Maturity41 Maturing project, gaining track record Bus Factor1 Top contributor holds 99.3% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~97 days Recently: every ~11 days Total 6 Last Release 1303d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/b2568ed5219c714e13e09a9c63e84dbb674e629dade94fd5e115c7ffb0f9ee67?d=identicon)[barnabywalters](/maintainers/barnabywalters) --- Top Contributors [![barnabywalters](https://avatars.githubusercontent.com/u/968350?v=4)](https://github.com/barnabywalters "barnabywalters (145 commits)")[![diogogithub](https://avatars.githubusercontent.com/u/10812507?v=4)](https://github.com/diogogithub "diogogithub (1 commits)") ### Code Quality TestsPHPUnit Static AnalysisPsalm Type Coverage Yes ### Embed Badge ![Health badge](/badges/taproot-indieauth/health.svg) ``` [![Health](https://phpackages.com/badges/taproot-indieauth/health.svg)](https://phpackages.com/packages/taproot-indieauth) ``` ### Alternatives [google/auth Google Auth Library for PHP 1.4k272.7M162](/packages/google-auth)[simplesamlphp/saml2 SAML2 PHP library from SimpleSAMLphp 30317.2M40](/packages/simplesamlphp-saml2)[shopify/shopify-api Shopify API Library for PHP 4634.8M16](/packages/shopify-shopify-api)[theodo-group/llphant LLPhant is a library to help you build Generative AI applications. 1.5k311.5k5](/packages/theodo-group-llphant)[neos/flow-development-collection Flow packages in a joined repository for pull requests. 144179.3k3](/packages/neos-flow-development-collection)[rareloop/lumberjack-core A powerful MVC framework for the modern WordPress developer. Write better, more expressive and easier to maintain code 42155.0k19](/packages/rareloop-lumberjack-core) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)