PHPackages xp-forge/web-auth - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. xp-forge/web-auth ActiveLibrary[Authentication & Authorization](/categories/authentication) xp-forge/web-auth ================= Web Authentication v7.1.0(4mo ago)016.2k[2 PRs](https://github.com/xp-forge/web-auth/pulls)2BSD-3-ClausePHPPHP >=7.4.0CI passing Since Dec 1Pushed 4mo ago1 watchersCompare [ Source](https://github.com/xp-forge/web-auth)[ Packagist](https://packagist.org/packages/xp-forge/web-auth)[ Docs](http://xp-framework.net/)[ RSS](/packages/xp-forge-web-auth/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (10)Dependencies (7)Versions (46)Used By (2) Web Authentication ================== [](#web-authentication) [![Build status on GitHub](https://github.com/xp-forge/web-auth/workflows/Tests/badge.svg)](https://github.com/xp-forge/web-auth/actions)[![XP Framework Module](https://raw.githubusercontent.com/xp-framework/web/master/static/xp-framework-badge.png)](https://github.com/xp-framework/core)[![BSD Licence](https://raw.githubusercontent.com/xp-framework/web/master/static/licence-bsd.png)](https://github.com/xp-framework/core/blob/master/LICENCE.md)[![Requires PHP 7.4+](https://raw.githubusercontent.com/xp-framework/web/master/static/php-7_4plus.svg)](http://php.net/)[![Supports PHP 8.0+](https://raw.githubusercontent.com/xp-framework/web/master/static/php-8_0plus.svg)](http://php.net/)[![Latest Stable Version](https://camo.githubusercontent.com/0aca4c1724c5e54ae2d5d11b53159af6ed98da41ab0b4c2476f54309aab71ebf/68747470733a2f2f706f7365722e707567782e6f72672f78702d666f7267652f7765622d617574682f76657273696f6e2e737667)](https://packagist.org/packages/xp-forge/web-auth) Authentication for web services. Supports authenticating URLs with fragments such as `https://example.com/#/users/thekid` without losing information when redirecting. ☑ Verified with Twitter (OAuth 1), Microsoft Office 365, Facebook, GitHub and Google (OAuth 2). Examples -------- [](#examples) ### HTTP basic authentication: [](#http-basic-authentication) ``` use web\auth\Basic; use util\Secret; $auth= new Basic('Administration', function($user, Secret $secret) { return 'admin' === $user && $secret->equals('secret') ? ['id' => 'admin'] : null; }); return ['/' => $auth->required(function($req, $res) { $res->send('Hello @'.$req->value('user')['id'], 'text/plain'); })]; ``` ### Authentication via Twitter: [](#authentication-via-twitter) ``` use web\auth\SessionBased; use web\auth\oauth\OAuth1Flow; use web\session\ForTesting; $flow= new OAuth1Flow( 'https://api.twitter.com/oauth', [$credentials->named('twitter_oauth_key'), $credentials->named('twitter_oauth_secret')], $callback ); $auth= new SessionBased( $flow, new ForTesting(), $flow->fetchUser('https://api.twitter.com/1.1/account/verify_credentials.json') ); return ['/' => $auth->required(function($req, $res) { $res->send('Hello @'.$req->value('user')['screen_name'], 'text/plain'); })]; ``` *The $callback parameter should be the path matching the path in the callback URI registered with Twitter.* ### Authentication via GitHub: [](#authentication-via-github) ``` use web\auth\SessionBased; use web\auth\oauth\OAuth2Flow; use web\session\ForTesting; $flow= new OAuth2Flow( 'https://github.com/login/oauth/authorize', 'https://github.com/login/oauth/access_token', [$credentials->named('github_oauth_key'), $credentials->named('github_oauth_secret')], $callback ); $auth= new SessionBased( $flow, new ForTesting(), $flow->fetchUser('https://api.github.com/user') ); return ['/' => $auth->required(function($req, $res) { $res->send('Hello @'.$req->value('user')['login'], 'text/plain'); })]; ``` *The $callback parameter should be the path matching the path in the callback URI registered with GitHub.* ### Authentication via Google: [](#authentication-via-google) ``` use web\auth\SessionBased; use web\auth\oauth\OAuth2Flow; use web\session\ForTesting; $flow= new OAuth2Flow( 'https://accounts.google.com/o/oauth2/v2/auth', 'https://oauth2.googleapis.com/token', [$credentials->named('google_oauth_key'), $credentials->named('google_oauth_secret')], $callback, ['https://www.googleapis.com/auth/userinfo.profile'] ); $auth= new SessionBased( $flow, new ForTesting(), $flow->fetchUser('https://openidconnect.googleapis.com/v1/userinfo') ); return ['/' => $auth->required(function($req, $res) { $res->send('Hello @'.$req->value('user')['name'], 'text/plain'); })]; ``` *The $callback parameter should be the path matching the path in the callback URI registered with GitHub.* ### Authentication via Office 365 Azure AD: [](#authentication-via-office-365-azure-ad) ``` use util\Secret; use web\auth\SessionBased; use web\auth\oauth\{OAuth2Flow, BySecret, ByCertificate, ByPKCE}; use web\session\ForTesting; // Depending on what you have set up under "Certificates & Secrets", use one // of the following. For certificate-based authentication, $privateKey can // hold either the key's contents or reference it as 'file://private.key' $credentials= new BySecret('[APP-ID]', new Secret('...')); $credentials= new ByCertificate('[APP-ID]', '[THUMBPRINT]', $privateKey); $credentials= new ByPKCE('[APP-ID]', 'S256'); $flow= new OAuth2Flow( 'https://login.microsoftonline.com/[TENANT_ID]/oauth2/v2.0/authorize', 'https://login.microsoftonline.com/[TENANT_ID]/oauth2/v2.0/token', $credentials, $callback, ['openid', 'profile', 'offline_access', 'User.Read'] ); $auth= new SessionBased( $flow, new ForTesting(), $flow->fetchUser('https://graph.microsoft.com/v1.0/me') ); return ['/' => $auth->required(function($req, $res) { $res->send('Hello @'.$req->value('user')['login'], 'text/plain'); })]; ``` *The $callback parameter should be the path matching the path in the callback URI registered with the Azure AD application.* ### Authentication via [CAS](https://apereo.github.io/cas) ("Central Authentication Service"): [](#authentication-via-cas-central-authentication-service) ``` use web\auth\SessionBased; use web\auth\cas\CasFlow; use web\session\ForTesting; $flow= new CasFlow('https://sso.example.com/'); $auth= new SessionBased($flow, new ForTesting()); return ['/' => $auth->required(function($req, $res) { $res->send('Hello @'.$req->value('user')['username'], 'text/plain'); })]; ``` Target URLs ----------- [](#target-urls) By default, the flow instances use the request URI to determine where the service is running. Behind a proxy, this is most probably not the user-facing URI. To change this behavior, use the `target()` method and pass a `UseURL` instance as follows: ``` use web\auth\UseURL; use web\auth\cas\CasFlow; $flow= (new CasFlow('https://sso.example.com/'))->target(new UseURL('https://service.example.com/')); ``` ### Health Score 49 — FairBetter than 95% of packages Maintenance75 Regular maintenance activity Popularity24 Limited adoption so far Community11 Small or concentrated contributor base Maturity70 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~54 days Recently: every ~30 days Total 42 Last Release 134d ago Major Versions v2.2.2 → v3.0.02021-05-14 v3.8.0 → v4.0.02024-02-04 v4.2.0 → v5.0.02024-03-29 v5.3.0 → v6.0.02025-05-04 v6.2.0 → v7.0.02026-01-04 PHP version history (3 changes)v0.1.0PHP >=5.6.0 v1.0.0PHP >=7.0.0 v5.0.0PHP >=7.4.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/07d18d882c8b4aaf3466432f64018214f2771eda333202175431ee7233795376?d=identicon)[thekid](/maintainers/thekid) --- Top Contributors [![thekid](https://avatars.githubusercontent.com/u/696742?v=4)](https://github.com/thekid "thekid (261 commits)") --- Tags authenticationbasic-authenticationcasjwtoauthoauth1oauth2oauth2-credentialsphppkce-oauthuserinfoxp-frameworkmodulexp ### Embed Badge ![Health badge](/badges/xp-forge-web-auth/health.svg) ``` [![Health](https://phpackages.com/badges/xp-forge-web-auth/health.svg)](https://phpackages.com/packages/xp-forge-web-auth) ``` ### Alternatives [org_heigl/hybridauth Lightweight Authentication Module for Zend-Framework 2 using the hybridauth-library 211.9k](/packages/org-heigl-hybridauth) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)