Download the PHP package jeffersongoncalves/laravel-oidc without Composer
On this page you can find all versions of the php package jeffersongoncalves/laravel-oidc. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download jeffersongoncalves/laravel-oidc
More information about jeffersongoncalves/laravel-oidc
Files in jeffersongoncalves/laravel-oidc
Package laravel-oidc
Short Description OpenID Connect for Laravel via a custom Socialite driver. Multi-tenant ready.
License MIT
Homepage https://github.com/jeffersongoncalves/laravel-oidc
Informations about the package laravel-oidc
Laravel OIDC
Laravel OIDC adds first-class OpenID Connect support to Laravel by registering a custom
Laravel Socialite driver named oidc. Unlike vanilla
Socialite — which covers OAuth 2.0 but stops at the userinfo step — this package implements
the OIDC pieces Socialite leaves out: discovery (/.well-known/openid-configuration),
JWKS-based id_token validation, nonce-based replay protection, and PKCE.
It is designed for multi-tenant SaaS: configuration is supplied at runtime, so each tenant can connect its own Azure AD, Okta, Auth0, Google Workspace, Keycloak, or any other spec-compliant OpenID Provider.
Compatibility
| Package | Laravel | PHP |
|---|---|---|
| 1.x | 11.x, 12.x, 13.x | 8.2, 8.3, 8.4 |
Why?
Laravel Socialite ships drivers for fixed providers (GitHub, Google, etc.) and a small set of OAuth 2.0 helpers. It does not:
- Read the IdP's
.well-known/openid-configurationdiscovery document. - Validate the
id_tokenJWT against the IdP's JWKS. - Send and verify a
nonceto mitigate replay attacks. - Make per-request configuration easy in multi-tenant scenarios.
This package adds those pieces while staying inside the Socialite mental model: you still
call Socialite::driver('oidc')->redirect() and ->user().
Installation
Optionally publish the config file:
Configuration
The package works out of the box. For single-tenant apps, set the default IdP in .env:
For multi-tenant apps, leave the default block empty and supply an OidcConfig at runtime
(see below).
Usage
Single-tenant (config from .env)
Multi-tenant (runtime config)
On callback:
HasOidcConfig trait for tenant models
If you store IdP configuration on a model (a typical multi-tenant pattern), drop in the
trait. It expects columns issuer_url, client_id, client_secret (cast to encrypted),
redirect_uri, and an optional scopes JSON column.
Discovery without Socialite
Supported Identity Providers
Any IdP that publishes a .well-known/openid-configuration discovery document and signs
id_tokens with one of the allowed algorithms (RS256, RS384, RS512, ES256, ES384)
will work. Examples:
| IdP | Issuer URL example |
|---|---|
| Azure AD / Entra ID | https://login.microsoftonline.com/{tenant-id}/v2.0 |
| Google Workspace | https://accounts.google.com |
| Okta | https://{your-org}.okta.com |
| Auth0 | https://{your-tenant}.auth0.com/ |
| Keycloak | https://{host}/realms/{realm} |
| Ping Identity | https://{environment}.pingone.com/{environment-id}/as |
Security
id_tokenvalidation. Everyid_tokenis decoded against the IdP's JWKS usingfirebase/php-jwt. Theiss,aud,exp, andiatclaims are checked, with a configurable clock-skew window.- Algorithm allow-list. Only the algorithms in
oidc.jwt.allowed_algorithmsare accepted. Symmetric algorithms (HS256& friends) are intentionally absent — accepting them with a JWKS would enable trivial key-confusion attacks. - Replay protection. A random
nonceis generated, stored in the session, and verified against thenonceclaim in the returnedid_token. - PKCE. Enabled by default with
S256. Disable per request withnew OidcConfig(..., usePkce: false). - Caching. The discovery document is cached for 1 hour and the JWKS for 6 hours by
default; both TTLs are configurable. Use
Oidc::clearCache($issuer)to invalidate after a key rotation.
Testing
Changelog
Please see CHANGELOG for more information on what has changed recently.
Contributing
Pull requests are welcome. Please make sure tests, PHPStan and Pint all pass before opening a PR:
Security Vulnerabilities
Please review our security policy on how to report security vulnerabilities.
Credits
- Jefferson Gonçalves
- All Contributors
License
The MIT License (MIT). Please see License File for more information.
All versions of laravel-oidc with dependencies
firebase/php-jwt Version ^6.10|^7.0
guzzlehttp/guzzle Version ^7.8
illuminate/contracts Version ^11.0|^12.0|^13.0
illuminate/support Version ^11.0|^12.0|^13.0
laravel/socialite Version ^5.10
spatie/laravel-package-tools Version ^1.16