PHPackages zozlak/auth - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. zozlak/auth ActiveLibrary[Authentication & Authorization](/categories/authentication) zozlak/auth =========== Very simple yet flexible authentication framework 3.1.0(4mo ago)07.4k2MITPHPPHP >=8.0CI passing Since Jun 19Pushed 4mo ago1 watchersCompare [ Source](https://github.com/zozlak/auth)[ Packagist](https://packagist.org/packages/zozlak/auth)[ Docs](https://github.com/zozlak/auth)[ RSS](/packages/zozlak-auth/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (10)Dependencies (3)Versions (17)Used By (2) Auth ==== [](#auth) [![Latest Stable Version](https://camo.githubusercontent.com/e7fa825b955fe6ce279b6a14858ae85564c1c109fdb9e9991234392d6bd70d8e/68747470733a2f2f706f7365722e707567782e6f72672f7a6f7a6c616b2f617574682f762f737461626c65)](https://packagist.org/packages/zozlak/auth)[![Build status](https://github.com/acdh-oeaw/arche-core/workflows/phpunit/badge.svg?branch=master)](https://github.com/acdh-oeaw/arche-core/workflows/phpunit/badge.svg?branch=master)[![Coverage Status](https://camo.githubusercontent.com/a05985776347dc9555885d41e339733a6daf40c911e7dfbe538e8d8b214675d5/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f7a6f7a6c616b2f617574682f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/zozlak/auth?branch=master)[![License](https://camo.githubusercontent.com/8826e48f1188b0ab7ff14869af6a2dfb1e18110190ca173610f3667216444cff/68747470733a2f2f706f7365722e707567782e6f72672f7a6f7a6c616b2f617574682f6c6963656e7365)](https://packagist.org/packages/zozlak/auth) A simple yet flexible library for authenticating against different providers. Currently supported authorization providers: - HTTP basic - HTTP digest - user login and data fetched from HTTP headers (e.g. when set by Shibboleth) - Google access\_token - fixed data (e.g. a fallback guest user) Currently supported users database backends: - PDO Usage ----- [](#usage) Simple example trying to authenticate with Google, then with HTTP basic and finally using a fixed `zzz` user as a fallback. ``` namespace zozlak\auth; require '/vendor/autoload.php'; $db = new usersDb\PdoDb('sqlite::memory:'); // init users $db->putUser('aaa', authMethod\HttpBasic::pswdData('1234')); $db->putUser('bbb', authMethod\HttpBasic::pswdData('1234')); // create auth controller and add auth methods // (comment/uncomment $ctl->addMethod() lines to test different combinations) $ctl = new AuthController($db); $header = new TrustedHeader('HTTP_EPPN'); $ctl->addMethod($header); $token = new GoogleToken(filter_input(INPUT_GET, 'token') ?? ''); $ctl->addMethod($token); $shb = new Shibboleth('HTTP_EPPN', '', [], 'https://my.app/Shibboleth.sso/Login', 'https://my.app/url'); //$ctl->addMethod($shb, AuthController::ADVERTISE_ONCE); $googleAppCfg = [ 'client_id' => 'appid.apps.googleusercontent.com', 'client_secret' => 'appsecret', 'redirect_uris' => ['https://my.app/url'] ]; $googleAuthCfg = ['access_type' => 'offline', 'refresh_time' => 600]; $google = new Google(filter_input(INPUT_GET, 'token') ?? '', $googleAppCfg, $googleAuthCfg); //$ctl->addMethod($google, AuthController::ADVERTISE_ONCE); $basic = new HttpBasic('my realm'); $ctl->addMethod($basic, AuthController::ADVERTISE_ONCE); $digest = new HttpDigest('realm'); //$ctl->addMethod($digest, AuthController::ADVERTISE_ONCE); $guest = new Guest('zzz'); $ctl->addMethod($guest); // try to authenticate if ($ctl->authenticate()) { print_r([$ctl->getUserName(), $ctl->getUserData()]); } else { // if not authenticated, advertise available method $ctl->advertise(); header('HTTP/1.1 401 Unauthorized'); echo "Authentication failed\n"; } ``` Combining many authentication methods ------------------------------------- [](#combining-many-authentication-methods) Chaining many authentication methods is easy until it's only checking credentials provided by a client in his request. The problem starts when request contains no (valid) credentials and we want to explicitely ask user to include them. The problem is in most cases **we can advertise only one auth method at once**. This is because different auth methods use conflicting advertisment mechanism, e.g. - all OAuth2 (Google, etc.) and SAML (Shibboleth) methods use a `Location` header to redirect user to a login page and we can't return many redirects to different locations in one response - presence of an HTTP Basic or HTTP Digest auth header in a response forces all GUI clients to prompt user for login and password and skip the rest of a response Control over advertising auth methods is provided in the following way: - You can assign each method in the chain one of three *advertisment levels*: - `AuthMethod::ADVERTISE_NONE` auth method is never advertised - `AuthMethod::ADVERTISE_ONCE` auth method is advertised only if a request contained no credentials for this method (and if a request contained wrong credentials for this method, the method is not advertised again) - `AuthMethod::ADVERTISE_ALWAYS` auth method is always advertised - When you call the `AutController::advertise()` method a first auth method in the chain which fulfills its advertisment conditions is advertised. You assigne the *advertisment level* when adding it to the auth chain using the second parameter of the `AutController::addMethod(AuthMethodInterface $method, int $advertise)` method. **By default it's `AuthMethod::ADVERTISE_NONE`** Remember `Guest`, `GoogleToken` and `TrustedHeaders` don't support advertisment. ### HTTP Digest method [](#http-digest-method) HTTP Digest is difficult to combine with any other auth method. Unlike other methods the HTTP Digest has to be advertised to the client before his request so he can prepare valid credentials. And once it is advertised all GUI clients (most notably web browsers) will keep asking user for a login and password until valid ones are provided making it impossible to use any other authentication method. (Poor) workarounds for this problem are: - Putting HTTP Digest at the end of the auth chain allowing any other auth method to be checked first. - Setting up HTTP Digest provider's advertise setting to `ADVERTISE_ONCE`. In such a case it will be advertised only when a client doesn't provide HTTP Digest credentials in his request and if credentials are provided (no matter if they are good or wrong) the HTTP Digest method won't be advertised again. It allows to resolve auth providers staying after the HTTP Digest in the auth chain at the cost of giving user only one chance to input a correct login and password. ### Health Score 51 — FairBetter than 96% of packages Maintenance78 Regular maintenance activity Popularity23 Limited adoption so far Community13 Small or concentrated contributor base Maturity76 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~184 days Recently: every ~368 days Total 16 Last Release 123d ago Major Versions 0.7.7 → 1.0.12021-05-17 1.0.1 → 2.0.02021-12-30 2.0.1 → 3.0.02024-10-22 PHP version history (2 changes)0.1.0PHP >=7.0 3.0.0PHP >=8.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/f1f662e3acb95efd9208cdcd2c97437db366044aea705985251760efcbd23070?d=identicon)[zozlak](/maintainers/zozlak) --- Top Contributors [![zozlak](https://avatars.githubusercontent.com/u/6503177?v=4)](https://github.com/zozlak "zozlak (25 commits)") --- Tags Authentication ### Code Quality TestsPHPUnit Static AnalysisPHPStan Type Coverage Yes ### Embed Badge ![Health badge](/badges/zozlak-auth/health.svg) ``` [![Health](https://phpackages.com/badges/zozlak-auth/health.svg)](https://phpackages.com/packages/zozlak-auth) ``` ### Alternatives [google/auth Google Auth Library for PHP 1.4k272.7M162](/packages/google-auth)[league/oauth2-client OAuth 2.0 Client Library 3.8k118.6M1.2k](/packages/league-oauth2-client)[league/oauth1-client OAuth 1.0 Client Library 99698.8M106](/packages/league-oauth1-client)[kreait/firebase-tokens A library to work with Firebase tokens 24040.8M14](/packages/kreait-firebase-tokens)[ellaisys/aws-cognito AWS Cognito package that allows Auth and other related features using the AWS SDK for PHP 120220.7k1](/packages/ellaisys-aws-cognito)[vizir/laravel-keycloak-web-guard Simple Keycloak Guard to Laravel Web Routes 166574.1k](/packages/vizir-laravel-keycloak-web-guard) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)