{"id":15027768,"url":"https://github.com/maicol07/oidc-client-php","last_synced_at":"2025-10-03T23:32:50.745Z","repository":{"id":44627789,"uuid":"384506285","full_name":"maicol07/oidc-client-php","owner":"maicol07","description":"PHP OpenID Connect client","archived":false,"fork":true,"pushed_at":"2024-11-02T14:01:02.000Z","size":484,"stargazers_count":5,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-03T02:47:42.904Z","etag":null,"topics":["oidc","oidc-client","oidc-provider","openid","openid-connect","php","php8","php81"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"JuliusPC/OpenID-Connect-PHP","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/maicol07.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":["maicol07"],"custom":["https://paypal.me/maicol072001/10eur"]}},"created_at":"2021-07-09T17:20:07.000Z","updated_at":"2024-12-01T16:09:41.000Z","dependencies_parsed_at":"2023-01-27T21:46:16.092Z","dependency_job_id":null,"html_url":"https://github.com/maicol07/oidc-client-php","commit_stats":null,"previous_names":[],"tags_count":35,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maicol07%2Foidc-client-php","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maicol07%2Foidc-client-php/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maicol07%2Foidc-client-php/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maicol07%2Foidc-client-php/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/maicol07","download_url":"https://codeload.github.com/maicol07/oidc-client-php/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235204448,"owners_count":18952326,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["oidc","oidc-client","oidc-provider","openid","openid-connect","php","php8","php81"],"created_at":"2024-09-24T20:07:01.116Z","updated_at":"2025-10-03T23:32:50.739Z","avatar_url":"https://github.com/maicol07.png","language":"PHP","readme":"# PHP OpenID Connect Basic Client\nA simple library that allows an application to authenticate a user through the basic OpenID Connect flow. This library\nhopes to encourage OpenID Connect use by making it simple enough for a developer with little knowledge of the OpenID\nConnect protocol to setup authentication.\n\n## Supported Specifications\n- [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)\n- [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) ([finding the issuer is missing](https://github.com/jumbojett/OpenID-Connect-PHP/issues/2))\n- [OpenID Connect RP-Initiated Logout 1.0 - draft 01](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)\n- [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)\n- [RFC 6749: The OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749)\n- [RFC 7009: OAuth 2.0 Token Revocation](https://tools.ietf.org/html/rfc7009)\n- [RFC 7636: Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)\n- [RFC 7662: OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)\n- [Draft: OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response](https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00)\n\n## Tested providers\n\u003e Note: This list is not exhaustive. Other generic OIDC providers should work as well.\nIf you have tested this library with a provider not listed here, please open a PR to add it to the list and add a test configuration (.run directory).\n\n| Provider | Is tested? | Notes                                                         |\n|----------|------------|---------------------------------------------------------------|\n| Keycloak | ✅          | Client authenticator must be set to \"Client id and secret\"    |\n| Casdoor  | ✅          | Code challenge must be set to S256 or PKCE should be disabled |\n\n## Requirements\n1. PHP 8.1+\n2. JSON extension\n3. MBString extension\n4. (Optional) One between GMP or BCMath extension to allow faster cipher key operations\n   (for JWT; see [here](https://web-token.spomky-labs.com/introduction/pre-requisite) for more information)\n\n## Install\nInstall using composer:\n\n```bash\ncomposer require maicol07/oidc-client\n```\n\n## Examples\n### Example 1: Basic Client\nThis example uses the Authorization Code flow and will also use PKCE if the OpenID Provider announces it in his\nDiscovery document. If you are not sure, which flow you should choose: This one is the way to go. It is the most secure\nand versatile.\n\n```php\nuse Maicol07\\OpenIDConnect\\Client;\n\n$oidc = new Client(\n    provider_url: 'https://id.example.com',\n    client_id: 'ClientIDHere',\n    client_secret: 'ClientSecretHere',\n    redirect_uri: 'https://example.com/callback.php',\n);\n$oidc-\u003eauthenticate();\n$name = $oidc-\u003egetUserInfo()-\u003egiven_name;\n```\n[See OpenID Connect spec for available user attributes][1]\n\n### Example 2: Dynamic Registration\n```php\nuse Maicol07\\OpenIDConnect\\Client;\n\n$oidc = new Client(\n    provider_url: 'https://id.example.com',\n    redirect_uri: 'https://example.com/callback.php',\n    client_name: 'My Client',\n);\n\n$oidc-\u003eregister();\n[$client_id, $client_secret] = $oidc-\u003egetClientCredentials();\n\n// Be sure to add logic to store the client id and client secret\n```\n\n### Example 3: Network and Security\nYou should always use HTTPS for your application. If you are using a self-signed certificate, you can disable the SSL\nverification by setting the `verify_ssl` property on the client and, if you have it, set a custom certificate in the `cert_path` property\n(this works only if verifySsl is set to false).\n\nYou can also setup a proxy via the `http_proxy`.\n\n```php\nuse Maicol07\\OpenIDConnect\\Client;\n\n$oidc = new Client(\n    provider_url: 'https://id.example.com',\n    client_id: 'ClientIDHere',\n    client_secret: 'ClientSecretHere',\n    redirect_uri: 'https://example.com/callback.php',\n    http_proxy: 'http://proxy.example.com:8080',\n    cert_path: 'path/to/cert.pem',\n    verify_ssl: false\n);\n```\n\n### Example 4: Implicit flow\n\u003e Reference: https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth\n\nThe implicit flow should be considered a legacy flow and not used if authorization code grant can be used. Due to its\ndisadvantages and poor security, the implicit flow will be obsoleted with the upcoming OAuth 2.1 standard. See Example 1\nfor alternatives.\n\n```php\nuse Maicol07\\OpenIDConnect\\Client;\nuse Maicol07\\OpenIDConnect\\ResponseType;\n\n$oidc = new Client(\n    provider_url: 'https://id.example.com',\n    client_id: 'ClientIDHere',\n    client_secret: 'ClientSecretHere',\n    redirect_uri: 'https://example.com/callback.php',\n    response_type: ResponseType::ID_TOKEN,\n    allow_implicit_flow: true,\n);\n$oidc-\u003eauthenticate();\n$sub = $oidc-\u003egetUserInfo()-\u003esub;\n```\n\n### Example 5: Introspection of an access token\n\u003e Reference: https://tools.ietf.org/html/rfc7662\n\n```php\nuse Maicol07\\OpenIDConnect\\Client;\n\n$oidc = new Client(\n    provider_url: 'https://id.example.com',\n    client_id: 'ClientIDHere',\n    client_secret: 'ClientSecretHere',\n    redirect_uri: 'https://example.com/callback.php'\n);\n\n$data = $oidc-\u003eintrospectToken('an.access-token.as.given');\nif (!$data-\u003eget('active')) {\n    // the token is no longer usable\n}\n```\n\n### Example 6: PKCE Client\nPKCE is already configured and used in most scenarios in Example 1. This example shows you how to explicitly set the Code\nChallenge Method in the initial config. This enables PKCE in case your OpenID Provider doesn’t announce support for it\nin the discovery document, but supports it anyway.\n\n```php\nuse Maicol07\\OpenIDConnect\\Client;\nuse Maicol07\\OpenIDConnect\\CodeChallengeMethod;\n\n$oidc = new Client(\n    provider_url: 'https://id.example.com',\n    client_id: 'ClientIDHere',\n    client_secret: 'ClientSecretHere',\n    redirect_uri: 'https://example.com/callback.php',\n    // for some reason we want to set S256 explicitly as Code Challenge Method\n    // maybe your OP doesn’t announce support for PKCE in its discovery document.\n    code_challenge_method: CodeChallengeMethod::S256\n);\n\n$oidc-\u003eauthenticate();\n$name = $oidc-\u003egetUserInfo()-\u003egiven_name;\n```\n\n### Example 7: Token endpoint authentication method\nBy default, only `client_secret_basic` is enabled on client side which was the only supported for a long time.\nRecently `client_secret_jwt` and `private_key_jwt` have been added, but they remain disabled until explicitly enabled.\n\n```php\nuse Maicol07\\OpenIDConnect\\Client;\nuse Maicol07\\OpenIDConnect\\TokenEndpointAuthMethod;\n\n$oidc = new Client(\n    provider_url: 'https://id.example.com',\n    client_id: 'ClientIDHere',\n    client_secret: 'ClientSecretHere',\n    redirect_uri: 'https://example.com/callback.php',\n    token_endpoint_auth_methods_supported: [\n        TokenEndpointAuthMethod::CLIENT_SECRET_BASIC,\n        TokenEndpointAuthMethod::CLIENT_SECRET_JWT,\n        TokenEndpointAuthMethod::PRIVATE_KEY_JWT,\n    ]\n);\n```\n\n**Note: A JWT generator is not included in this library yet.**\n\n## Development Environments\n\nSometimes you may need to disable SSL security on your development systems. You can do it by calling the `verify` method\nwith the `false` parameter. Note: This is not recommended on production systems.\n\n```php\nuse Maicol07\\OpenIDConnect\\Client;\n\n$oidc new Client(\n    provider_url: 'https://id.example.com',\n    client_id: 'ClientIDHere',\n    client_secret: 'ClientSecretHere',\n    redirect_uri: 'https://example.com/callback.php',\n    verify_ssl: false      \n);\n```\n\n## Testing\nTo run the tests, you need to have a running OpenID Connect provider\n### Keycloak\n1. Run a Keycloak docker container\n   ```bash\n   docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:25.0.5 start-dev\n   ```\n2. Create a client named with the following settings:\n   - Client ID: `oidc`\n   - Client authentication: ON\n   - Authorization: ON\n   - Authentication Flow: Standard Flow, Implicit Flow (if you want to test implicit flow), Direct Access Grants\n   - Client Secret: `oidc`\n   - Valid Redirect URIs: `http://localhost:9999/callback`\n   - Web Origins: `*`\n3. Go to Credentials tab and copy the Secret\n4. Tweak the PHPStorm Run configuration with your settings.\n\n\n### Todo\n- Dynamic registration does not support registration auth tokens and endpoints\n\n## Contributing\n- Issues and pull requests are welcome.\n\n[1]: https://openid.net/specs/openid-connect-basic-1_0-15.html#id_res\n","funding_links":["https://github.com/sponsors/maicol07","https://paypal.me/maicol072001/10eur"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaicol07%2Foidc-client-php","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmaicol07%2Foidc-client-php","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaicol07%2Foidc-client-php/lists"}