PHPackages thomasvargiu/php-openid-client - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. thomasvargiu/php-openid-client Abandoned → [facile-it/php-openid-client](/?search=facile-it%2Fphp-openid-client)Library[Authentication & Authorization](/categories/authentication) thomasvargiu/php-openid-client ============================== OpenId Client 1.0.1(6y ago)064MITPHPPHP ^7.2 Since Jul 4Pushed 6y agoCompare [ Source](https://github.com/thomasvargiu/php-openid-client)[ Packagist](https://packagist.org/packages/thomasvargiu/php-openid-client)[ RSS](/packages/thomasvargiu-php-openid-client/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (40)Versions (3)Used By (0) php-openid-client ================= [](#php-openid-client) Full OpenID client implementation. [![Latest Stable Version](https://camo.githubusercontent.com/8239b4716453726ce4c27654414e3b98e7b603d99038db90e78a924e065f404b/68747470733a2f2f706f7365722e707567782e6f72672f74686f6d61737661726769752f7068702d6f70656e69642d636c69656e742f762f737461626c65)](https://packagist.org/packages/thomasvargiu/php-openid-client)[![Total Downloads](https://camo.githubusercontent.com/a0cc62085106fb39fd3d011f259811867ffd260e60d25d55b08fd64bc1e0dcdc/68747470733a2f2f706f7365722e707567782e6f72672f74686f6d61737661726769752f7068702d6f70656e69642d636c69656e742f646f776e6c6f616473)](https://packagist.org/packages/thomasvargiu/php-openid-client)[![License](https://camo.githubusercontent.com/930da311546bf46bd802a16d604e462f390565c5f8214ddd32dd1943f0632230/68747470733a2f2f706f7365722e707567782e6f72672f74686f6d61737661726769752f7068702d6f70656e69642d636c69656e742f6c6963656e7365)](https://packagist.org/packages/thomasvargiu/php-openid-client)[![Code Coverage](https://camo.githubusercontent.com/f376346c3d4806f7369492a18f7c3ceba44e0ab03f0f9dbee2ad103d64ac275f/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f74686f6d61737661726769752f7068702d6f70656e69642d636c69656e742f6261646765732f636f7665726167652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/thomasvargiu/php-openid-client/?branch=master)[![Build Status](https://camo.githubusercontent.com/672f237890d2fad11e31dcb685ce25782e62076c46fb365e0d5f056b9c8247cf/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f74686f6d61737661726769752f7068702d6f70656e69642d636c69656e742f6261646765732f6275696c642e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/thomasvargiu/php-openid-client/build-status/master)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/56866019e02953f6fa836b70be6858e873f0097d27f014a586921583cae451df/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f74686f6d61737661726769752f7068702d6f70656e69642d636c69656e742f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/thomasvargiu/php-openid-client/?branch=master) Most of the library code is based on the awesome [`node-openid-client`](https://github.com/panva/node-openid-client). Implemented specs and features ------------------------------ [](#implemented-specs-and-features) - [OAuth 2.0 RFC 6749](https://tools.ietf.org/html/rfc6749) & [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) - Authorization (Authorization Code Flow, Implicit Flow, Hybrid Flow) - UserInfo Endpoint and ID Tokens including Signing and Encryption (using the [JWT Framework](https://github.com/web-token/jwt-framework) library) - Passing a Request Object by Value or Reference including Signing and Encryption - Offline Access / Refresh Token Grant - Client Credentials Grant - Client Authentication incl. `client_secret_jwt` and `private_key_jwt` methods - [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) - [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) and [RFC7591 OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591) - [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) - [RFC7009 - OAuth 2.0 Token Revocation](https://tools.ietf.org/html/rfc7009) - [RFC7662 - OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) - [RFC7592 - OAuth 2.0 Dynamic Client Registration Management Protocol](https://tools.ietf.org/html/rfc7592) ### Supports of the following draft specifications [](#supports-of-the-following-draft-specifications) - [JWT Response for OAuth Token Introspection - draft 03](https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-03) - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - draft 02](https://openid.net/specs/openid-financial-api-jarm-wd-02.html) - [OAuth 2.0 JWT Secured Authorization Request (JAR)](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19) - [OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (MTLS) - draft 15](https://tools.ietf.org/html/draft-ietf-oauth-mtls-15) Installation ------------ [](#installation) Requirements: - `psr/http-client-implementation` implementation - `psr/http-factory-implementation` implementation - `psr/http-message-implementation` implementation ``` composer require thomasvargiu/php-openid-client ``` `RSA` signing algorithms are already included from the JWT Framework package`. If you need other algorithms you should install it manually. Basic Usage ----------- [](#basic-usage) For a basic usage you shouldn't require any other dependency package. ``` use TMV\OpenIdClient\Client\Client; use TMV\OpenIdClient\Issuer\IssuerFactory; use TMV\OpenIdClient\Client\Metadata\ClientMetadata; use TMV\OpenIdClient\Service\AuthorizationService; use TMV\OpenIdClient\Service\UserinfoService; use Psr\Http\Message\ServerRequestInterface; $issuerFactory = new IssuerFactory(); $issuer = $issuerFactory->fromUri('https://example.com/.well-known/openid-configuration'); $clientMetadata = new ClientMetadata( 'client_id', // client_id // other claims [ 'redirect_uris' => [ 'https://my-rp.com/callback', ], ] ); $client = new Client($issuer, $clientMetadata); // Authorization $authorizationService = new AuthorizationService(); $redirectAuthorizationUri = $authorizationService->getAuthorizationUri( $client, ['login_hint' => 'user_username'] // custom params ); // you can use this uri to redirect the user // Get access token /** @var ServerRequestInterface::class $serverRequest */ $serverRequest = null; // get your server request $callbackParams = $authorizationService->getCallbackParams($serverRequest, $client); $tokenSet = $authorizationService->callback($client, $callbackParams); $idToken = $tokenSet->getIdToken(); // Unencrypted id_token $accessToken = $tokenSet->getAccessToken(); // Access token $refreshToken = $tokenSet->getRefreshToken(); // Refresh token $claims = $tokenSet->claims(); // IdToken claims (if id_token is available) // Refresh token $tokenSet = $authorizationService->refresh($client, $tokenSet->getRefreshToken()); // Get user info $userinfoService = new UserinfoService(); $userinfo = $userinfoService->getUserInfo($client, $tokenSet); ``` ### Dependencies and complex usage [](#dependencies-and-complex-usage) Some classes require dependencies. Usually they are automatically instanced for a simple basic usage, but you can inject them when necessary. PSR-17 HTTP factories are automatically discovered. PSR-18 HTTP client is automatically discovered, but I suggest to always inject your client, specially when discovering the provider configuration and JWK Set and cache the result. If you need other algorithms, you should create an `AlgorithmManager`with your algorithms and inject it when needed. Example how to create a complete configured instance of the `AuthorizationService`: ``` use Jose\Component\Core\AlgorithmManager; use Jose\Component\Signature\Algorithm; use Jose\Component\Encryption\Algorithm\KeyEncryption; use Jose\Component\Encryption\Algorithm\ContentEncryption; use Jose\Component\Signature\JWSVerifier; use Jose\Component\Encryption\JWELoader; use Jose\Component\Encryption\Serializer\CompactSerializer; use Jose\Component\Encryption\Serializer\JWESerializerManager; use Jose\Component\Encryption\JWEDecrypter; use Jose\Component\Encryption\Compression\CompressionMethodManager; use Jose\Component\Encryption\Compression\Deflate; use TMV\OpenIdClient\Token\IdTokenVerifier; use TMV\OpenIdClient\Token\TokenSetVerifier; use TMV\OpenIdClient\Token\TokenSetFactory; use TMV\OpenIdClient\Token\TokenDecrypter; use TMV\OpenIdClient\Token\ResponseTokenVerifier; use TMV\OpenIdClient\Service\AuthorizationService; $algorithmManager = new AlgorithmManager([ new Algorithm\None(), new Algorithm\RS256(), new KeyEncryption\RSAOAEP(), new ContentEncryption\A256CBCHS512(), ]); $JWSVerifier = new JWSVerifier($algorithmManager); $idTokenVerifier = new IdTokenVerifier($JWSVerifier); $tokenSetVerifier = new TokenSetVerifier($idTokenVerifier); $responseTokenVerifier = new ResponseTokenVerifier($JWSVerifier); $JWELoader = new JWELoader( new JWESerializerManager([new CompactSerializer()]), new JWEDecrypter($algorithmManager, $algorithmManager, new CompressionMethodManager([new Deflate()])), null ); $tokenDecrypter = new TokenDecrypter($JWELoader); $authorizationService = new AuthorizationService( new TokenSetFactory(), $tokenSetVerifier, $responseTokenVerifier, $tokenDecrypter, $httpClient ); ``` Client registration ------------------- [](#client-registration) ``` use TMV\OpenIdClient\Service\RegistrationService; $registration = new RegistrationService(); // registration $metadata = $registration->register( $issuer, [ 'client_name' => 'My client name', 'redirect_uris' => ['https://my-rp.com/callback'], ], 'my-initial-token' ); // read $metadata = $registration->read($metadata['registration_client_uri'], $metadata['registration_access_token']); // update $metadata = $registration->update( $metadata['registration_client_uri'], $metadata['registration_access_token'], array_merge($metadata, [ // new metadata ]) ); // delete $registration->delete($metadata['registration_client_uri'], $metadata['registration_access_token']); ``` Token Introspection ------------------- [](#token-introspection) ``` use TMV\OpenIdClient\Service\IntrospectionService; $service = new IntrospectionService(); $params = $service->introspect($client, $token); ``` Token Revocation ---------------- [](#token-revocation) ``` use TMV\OpenIdClient\Service\RevocationService; $service = new RevocationService(); $params = $service->revoke($client, $token); ``` Request Object -------------- [](#request-object) You can create a request object authorization request with the `TMV\OpenIdClient\RequestObject\RequestObjectFactory` class. This will create a signed (and optionally encrypted) JWT token based on your client metadata. ``` use TMV\OpenIdClient\RequestObject\RequestObjectFactory; use Jose\Component\Core\AlgorithmManager; $algorithmManager = new AlgorithmManager([/* your algorithms */]); $factory = new RequestObjectFactory($algorithmManager); $requestObject = $factory->create($client, [/* custom params to include in the JWT*/]); ``` Then you can use it to create the AuthRequest: ``` use TMV\OpenIdClient\Authorization\AuthRequest; $authRequest = AuthRequest::fromParams([ 'client_id' => $client->getMetadata()->getClientId(), 'redirect_uri' => $client->getMetadata()->getRedirectUris()[0], 'request' => $requestObject, ]); ``` Aggregated and Distributed Claims --------------------------------- [](#aggregated-and-distributed-claims) The library can handle aggregated and distributed claims: ``` use TMV\OpenIdClient\Claims\AggregateParser; use TMV\OpenIdClient\Claims\DistributedParser; $aggregatedParser = new AggregateParser(); $claims = $aggregatedParser->unpack($client, $userinfo); $distributedParser = new DistributedParser(); $claims = $distributedParser->fetch($client, $userinfo); ``` Using middlewares ----------------- [](#using-middlewares) There are some middlewares and handles available: ### SessionCookieMiddleware [](#sessioncookiemiddleware) This middleware should always be on top of middlewares chain to provide a cookie session for `state` and `nonce` parameters. To use it you should install the `dflydev/fig-cookies` package: ``` $ composer require "dflydev/fig-cookies:^2.0" ``` ``` use TMV\OpenIdClient\Middleware\SessionCookieMiddleware; $middleware = new SessionCookieMiddleware(); ``` The middleware provides a `TMV\OpenIdClient\Session\AuthSessionInterface`attribute with an `TMV\OpenIdClient\Session\AuthSessionInterface` stateful instance used to persist session data. #### Using another session storage [](#using-another-session-storage) If you have another session storage, you can handle it and provide a `TMV\OpenIdClient\Session\AuthSessionInterface` instance in the `TMV\OpenIdClient\Session\AuthSessionInterface` attribute. ### ClientProviderMiddleware [](#clientprovidermiddleware) This middleware should always be on top of middlewares chain to provide the client to the other middlewares. ``` use TMV\OpenIdClient\Middleware\ClientProviderMiddleware; $client = $container->get('openid.clients.default'); $middleware = new ClientProviderMiddleware($client); ``` ### AuthRequestProviderMiddleware [](#authrequestprovidermiddleware) This middleware provide the auth request to use with the `AuthRedirectHandler`. ``` use TMV\OpenIdClient\Middleware\AuthRequestProviderMiddleware; use TMV\OpenIdClient\Authorization\AuthRequest; $authRequest = AuthRequest::fromParams([ 'scope' => 'openid', // other params... ]); $middleware = new AuthRequestProviderMiddleware($authRequest); ``` ### AuthRedirectHandler [](#authredirecthandler) This handler will redirect the user to the OpenID authorization page. ``` use TMV\OpenIdClient\Middleware\AuthRedirectHandler; use TMV\OpenIdClient\Service\AuthorizationService; /** @var AuthorizationService $authorizationService */ $authorizationService = $container->get(AuthorizationService::class); $middleware = new AuthRedirectHandler($authorizationService); ``` ### CallbackMiddleware [](#callbackmiddleware) This middleware will handle the callback from the OpenID provider. It will provide a `TMV\OpenIdClient\Token\TokenSetInterface` attribute with the final TokenSet object. ``` use TMV\OpenIdClient\Middleware\CallbackMiddleware; use TMV\OpenIdClient\Service\AuthorizationService; /** @var AuthorizationService $authorizationService */ $authorizationService = $container->get(AuthorizationService::class); $middleware = new CallbackMiddleware($authorizationService); ``` ### UserinfoMiddleware [](#userinfomiddleware) This middleware will fetch user data from the userinfo endpoint and will provide an `TMV\OpenIdClient\Middleware\UserInfoMiddleware` attribute with user infos as array. ``` use TMV\OpenIdClient\Middleware\UserInfoMiddleware; use TMV\OpenIdClient\Service\UserinfoService; /** @var UserinfoService $userinfoService */ $userinfoService = $container->get(UserinfoService::class); $middleware = new UserInfoMiddleware($userinfoService); ``` ### Health Score 25 — LowBetter than 37% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity8 Limited adoption so far Community6 Small or concentrated contributor base Maturity55 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~17 days Total 2 Last Release 2483d ago Major Versions 0.1.0 → 1.0.12019-07-22 ### Community Maintainers ![](https://www.gravatar.com/avatar/a6fa237583695920bbe285e738810728bfd7981ab066d39ffe852e09ae1fd30e?d=identicon)[thomasvargiu](/maintainers/thomasvargiu) --- Top Contributors [![thomasvargiu](https://avatars.githubusercontent.com/u/732012?v=4)](https://github.com/thomasvargiu "thomasvargiu (60 commits)") --- Tags Authenticationtokenidentityoauth2OpenIdOpenID Connectoidc ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/thomasvargiu-php-openid-client/health.svg) ``` [![Health](https://phpackages.com/badges/thomasvargiu-php-openid-client/health.svg)](https://phpackages.com/packages/thomasvargiu-php-openid-client) ``` ### Alternatives [facile-it/php-openid-client OpenID (OIDC) Client 42592.7k7](/packages/facile-it-php-openid-client)[opensearch-project/opensearch-php PHP Client for OpenSearch 15024.3M64](/packages/opensearch-project-opensearch-php)[phpro/http-tools HTTP tools for developing more consistent HTTP implementations. 28137.8k](/packages/phpro-http-tools)[auth0/auth0-php PHP SDK for Auth0 Authentication and Management APIs. 40820.2M67](/packages/auth0-auth0-php)[getbrevo/brevo-php Official Brevo provided RESTFul API V3 php library 963.1M35](/packages/getbrevo-brevo-php)[swisnl/json-api-client A PHP package for mapping remote JSON:API resources to Eloquent like models and collections. 211473.2k12](/packages/swisnl-json-api-client) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)