Download the PHP package hvatum/oauth2-openid-connect-client without Composer

On this page you can find all versions of the php package hvatum/oauth2-openid-connect-client. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package oauth2-openid-connect-client

OpenID Connect Client for The PHP League OAuth2 Client

A generic OpenID Connect provider for The PHP League's OAuth2 Client, with built-in support for modern OAuth 2.0 security features:

Disclaimer

OAuth2 and its related standards are complex topics to understand and to get right. This library strives to be correct but mistakes can be made. There is NO WARRANTY, use at your own risk, and please leave a bug report or a pull request if you find something that seems off.

Requirements

Installation

Basic Usage

The simplest setup — just point to the issuer:

All endpoints (authorization, token, userinfo, JWKS, PAR) are automatically discovered from {issuer}/.well-known/openid-configuration.

Authorization Code Flow

Advanced Usage

Private Key JWT Authentication (RFC 7523)

Use private_key_jwt instead of client_secret for client authentication:

Supports EC (ES256/ES384/ES512) and RSA (RS256/RS384/RS512, PS256/PS384/PS512) keys in both PEM and JWK formats.

Loading keys from environment variables

For 12-factor / Kubernetes-style deployments where the key is injected via an environment variable rather than mounted on disk, use privateKey to pass the raw PEM or JWK JSON content directly:

privateKey (raw content) and privateKeyPath (filesystem path) are mutually exclusive — setting both throws an InvalidArgumentException at construction. An empty string is treated as unset, so an unset env var bound to '' falls back to a configured privateKeyPath rather than silently disabling client assertion.

DPoP Token Binding (RFC 9449)

Bind access tokens to a cryptographic key pair to prevent token theft:

DPoP keys follow the same contract as privateKey / privateKeyPath: dpopPrivateKey and dpopPublicKey accept raw PEM/JWK content for env-var deployments, while dpopPrivateKeyPath and dpopPublicKeyPath accept filesystem paths. Each *Key option is mutually exclusive with its *KeyPath counterpart. The public key may be omitted entirely — it is derived from the private key.

ID Token Validation

ID tokens are automatically validated when fetching resource owner details. You can also validate manually:

Validates: signature (ES256/384/512, RS256/384/512, PS256/384/512), issuer, audience, expiration, nonce, and more.

Caching

Well-known configuration and JWKS keys are cached using PSR-16 (SimpleCache). TTL is managed by the cache implementation, so expiry works correctly across PHP-FPM requests.

By default, a built-in filesystem cache is used. You can customize the directory and TTLs:

Or provide your own PSR-16 cache implementation (e.g. Redis, Memcached):

PSR-3 Logging

Pass a PSR-3 logger for debug output:

Key Generation

EC Key Pair (for DPoP or client assertion)

RSA Key Pair (for client assertion)

Extending for Specific Providers

This package is designed to be extended for provider-specific requirements:

Some authorization servers require the client assertion aud claim to be the issuer URL instead of the token endpoint (the default per RFC 7523 §3). Override getClientAssertionAudience():

Authorization Details (RFC 9396) and Profile Hooks

By default, authorization_details follows RFC 9396 parameter transport:

If a provider profile requires embedding authorization_details in client_assertion, override these hooks:

Supported RFCs

RFC Feature Status
RFC 6749 OAuth 2.0 Authorization Framework Supported (via League)
RFC 7517 JSON Web Key (JWK) Supported
RFC 7523 JWT Bearer Client Authentication Supported
RFC 7636 PKCE (S256) Supported
RFC 7638 JWK Thumbprint Supported
RFC 9126 Pushed Authorization Requests (PAR) Supported
RFC 9207 Authorization Server Issuer Identification Supported
RFC 9396 Rich Authorization Requests Supported
RFC 9449 DPoP (Demonstrating Proof of Possession) Supported

License

MIT License. See LICENSE for details.


All versions of oauth2-openid-connect-client with dependencies

PHP Build Version
Package Version
Requires php Version ^8.2
ext-json Version *
ext-openssl Version *
league/oauth2-client Version ^2.7
psr/log Version ^3.0
psr/simple-cache Version ^3.0
web-token/jwt-library Version ^4.1
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package hvatum/oauth2-openid-connect-client contains the following files

Loading the files please wait ...