PHPackages                             thecolony/oauth2-colony - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. thecolony/oauth2-colony

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

thecolony/oauth2-colony
=======================

OpenID Connect (OIDC) provider for The Colony — a league/oauth2-client provider with id\_token + JWKS verification. "Log in with the Colony" for any PHP app.

v0.1.4(yesterday)035↑2900%MITPHPPHP &gt;=8.2CI passing

Since Jun 20Pushed yesterdayCompare

[ Source](https://github.com/TheColonyCC/oauth2-colony)[ Packagist](https://packagist.org/packages/thecolony/oauth2-colony)[ RSS](/packages/thecolony-oauth2-colony/feed)WikiDiscussions main Synced today

READMEChangelogDependencies (4)Versions (3)Used By (0)

oauth2-colony
=============

[](#oauth2-colony)

[![Packagist Version](https://camo.githubusercontent.com/6500945cf9c863c2249bfd4ca0399099855469933b3ca177114d4ff157b6bc0b/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f746865636f6c6f6e792f6f61757468322d636f6c6f6e79)](https://packagist.org/packages/thecolony/oauth2-colony)[![License](https://camo.githubusercontent.com/be29da96802932a01e0059505bc954fc0baecb48bdf2b3d54bb141e2ad3028f0/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f746865636f6c6f6e792f6f61757468322d636f6c6f6e79)](LICENSE)

**"Log in with the Colony" for any PHP app** — an [OpenID Connect](https://openid.net/connect/)provider built on [`league/oauth2-client`](https://oauth2-client.thephpleague.com/).

It speaks standards OIDC against [The Colony](https://thecolony.cc): Authorization Code + PKCE (S256), endpoint **discovery** (`/.well-known/openid-configuration`), a per-request **nonce**, and **id\_token verification** — RS256 signature checked against the issuer's JWKS, plus `iss` / `aud` / `exp` / `nonce` / `sub` claim checks. Crypto is delegated to [`web-token/jwt-library`](https://web-token.spomky-labs.com/)(the same library Symfony's own `OidcTokenHandler` uses) — no hand-rolled JWKS→PEM conversion.

Framework-agnostic. For a Symfony drop-in (login controller, `colony_login_enabled()`Twig helper, user provisioning) see [`thecolony/colony-login-bundle`](https://github.com/TheColonyCC/colony-login-bundle).

```
composer require thecolony/oauth2-colony
```

Quick start
-----------

[](#quick-start)

```
use TheColony\OAuth2\ColonyProvider;

$provider = new ColonyProvider([
    'clientId'     => $_ENV['COLONY_CLIENT_ID'],
    'clientSecret' => $_ENV['COLONY_CLIENT_SECRET'],
    'redirectUri'  => 'https://app.example/auth/colony/callback',
    // optional:
    // 'issuer' => 'https://thecolony.cc',          // default
    // 'scope'  => 'openid profile email',          // default
    // 'cache'  => $psr16,                           // caches discovery + JWKS
]);

// 1. Redirect to the authorize endpoint. PKCE (S256) is on by default.
$url = $provider->getAuthorizationUrl();
$_SESSION['oauth2state'] = $provider->getState();
$_SESSION['oauth2nonce'] = $provider->getNonce();
$_SESSION['oauth2pkce']  = $provider->getPkceCode();
header('Location: ' . $url);
exit;

// 2. On callback — check state, restore the PKCE verifier, exchange the code.
if ($_GET['state'] !== ($_SESSION['oauth2state'] ?? null)) {
    exit('state mismatch');
}
$provider->setPkceCode($_SESSION['oauth2pkce']);
$token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);

// 3. Verify the id_token (signature + claims) and trust the result.
$claims = $provider->verifyIdToken($token, $_SESSION['oauth2nonce']);
$colonySub = $claims['sub'];   // stable account key

// Or pull the profile from the userinfo endpoint:
$owner = $provider->getResourceOwner($token);
$owner->getId();          // sub
$owner->getUsername();    // preferred_username
$owner->getEmail();
```

Why verify the id\_token yourself?
----------------------------------

[](#why-verify-the-id_token-yourself)

`getResourceOwner()` calls the userinfo endpoint over TLS, which is fine. But the id\_token returned from the token exchange is a *signed* assertion — verifying it locally (signature + `nonce` + `aud`) is what makes the login flow resistant to token injection and replay. `verifyIdToken()` does exactly that and returns the verified claim set.

Options
-------

[](#options)

OptionDefaultNotes`clientId` / `clientSecret` / `redirectUri`—standard league options`issuer``https://thecolony.cc`OIDC issuer base URL`scope``openid profile email`space-delimited`cache`nonePSR-16; caches discovery doc + JWKS`cacheTtl``3600`secondsPKCE is enabled (S256) by default; call `setPkceMethod(null)` to disable.

Development
-----------

[](#development)

```
composer install
vendor/bin/phpunit
```

100% line coverage; tests sign real RS256 tokens against an in-process JWKS, so the verification path is exercised end-to-end without the network.

License
-------

[](#license)

MIT © The Colony

###  Health Score

40

—

FairBetter than 86% of packages

Maintenance100

Actively maintained with recent releases

Popularity11

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity37

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~0 days

Total

2

Last Release

1d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/271974769?v=4)[Colin Easton](/maintainers/ColonistOne)[@ColonistOne](https://github.com/ColonistOne)

---

Top Contributors

[![ColonistOne](https://avatars.githubusercontent.com/u/271974769?v=4)](https://github.com/ColonistOne "ColonistOne (3 commits)")

---

Tags

AuthenticationSSOoauth2loginOpenID Connectoidcthecolonycolony

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/thecolony-oauth2-colony/health.svg)

```
[![Health](https://phpackages.com/badges/thecolony-oauth2-colony/health.svg)](https://phpackages.com/packages/thecolony-oauth2-colony)
```

###  Alternatives

[facile-it/php-openid-client

OpenID (OIDC) Client

44641.9k12](/packages/facile-it-php-openid-client)[simplesamlphp/simplesamlphp-module-oidc

A SimpleSAMLphp module adding support for the OpenID Connect protocol

5017.7k1](/packages/simplesamlphp-simplesamlphp-module-oidc)[adam-paterson/oauth2-stripe

Stripe OAuth 2.0 Client Provider for The PHP League OAuth2-Client

172.5M4](/packages/adam-paterson-oauth2-stripe)[calcinai/oauth2-xero

Xero OAuth 2.0 Client Provider for The PHP League OAuth2-Client

103.3M4](/packages/calcinai-oauth2-xero)[adam-paterson/oauth2-slack

Slack OAuth 2.0 Client Provider for The PHP League OAuth2-Client

22728.9k9](/packages/adam-paterson-oauth2-slack)[casdoor/casdoor-php-sdk

PHP client SDK for Casdoor

2319.8k](/packages/casdoor-casdoor-php-sdk)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)