PHP download

Download the PHP package stromcom/auth-client without Composer

On this page you can find all versions of the php package stromcom/auth-client. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

Table of contents
Download stromcom/auth-client
More information about stromcom/auth-client
Files in stromcom/auth-client

Vendor stromcom
Package auth-client
Short Description Official PHP client for the STROMCOM SSO / OAuth 2.0 / OIDC server (auth.stromcom.cz).
License MIT
Homepage https://auth.stromcom.cz

Keywords client oauth2 SSO auth jwt oidc stromcom

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Example code of stromcom/auth-client

Informations about the package auth-client

stromcom/auth-client

Official PHP client for the STROMCOM SSO server (auth.stromcom.cz). Implements OAuth 2.0 Authorization Code + PKCE, Client Credentials, JWT verification via JWKS with caching, UserInfo and logout. No framework dependencies, zero external JWT libraries.

Status: stable. Strict RFC 9068 for access tokens (typ=at+jwt, required claims iss, exp, aud, sub, client_id, iat, jti) and OIDC Core 1.0 §3.1.3.7 for id_tokens (audience, azp, nonce binding).

Default issuer points to https://auth.stromcom.cz. For local development against a dev auth server, override issuer accordingly.

Installation

Requirements: PHP 8.3+, ext-curl, ext-json, ext-openssl.

Runtime dependencies: lcobucci/jwt (and its transitive psr/clock). That's it — no Guzzle, no PSR-7, no framework integration. JWT parsing, signature verification and temporal-claim checks go through lcobucci/jwt; JWKS fetching, caching, key-rotation orchestration and the OAuth grant flows are in-house.

Quickstart

Web application — user login

Full walkthrough: docs/auth-code-flow.md.

Service account — machine-to-machine

For long-running processes, cache the token until it nears expiry — see examples/service-account-cached.php. Full walkthrough: docs/service-account.md.

Refresh

Logout

Logout clears the SSO session cookie on auth.stromcom.cz. Tokens you already issued remain valid until their exp — clear your own cookies too.

Claims — object API

$auth->verify($jwt, $expectedAudience) returns a Claims value object. Don't dig into the raw payload — use the rich API:

Full reference: docs/jwt-verification.md.

Configuration

Parameter	Default	Description
`clientId`	(required)	`cli_…` / `svc_…` issued in the admin UI
`clientSecret`	`null`	Required for confidential clients & `client_credentials`
`redirectUri`	`null`	Required for `authorization_code`
`issuer`	`https://auth.stromcom.cz`	Server base URL — for local dev use `http://localhost:8003`
`defaultScopes`	`['openid','profile','email','groups']`	Used when `beginAuthorization()` is called without `$scopes`
`timeout`	`10`	HTTP timeout in seconds
`jwksTtl`	`3600`	JWKS cache TTL in seconds
`leeway`	`30`	JWT clock-skew tolerance in seconds
`userAgent`	`stromcom-auth-client-php/1.0`	Sent on every outbound request

Endpoints are derived from issuer. To override (rare — e.g. a reverse proxy), pass authorizationEndpoint, tokenEndpoint, userInfoEndpoint, logoutEndpoint, jwksUri explicitly.

JWKS caching

The server publishes Cache-Control: max-age=3600 on /.well-known/jwks.json. The verifier caches the document so per-request verification does not call the auth server. Pick the backend that matches your runtime:

Backend	Use it for
`InMemoryJwksCache`	Per-process. CLI scripts. Long-running workers (RoadRunner).
`ApcuJwksCache`	AWS Lambda (Bref) + any PHP-FPM — shared memory, fastest
`FileJwksCache`	Single-host without APCu (rare)

Implement JwksCacheInterface for Redis/Memcached/PSR-16 backends. On kid miss the cache is invalidated and re-fetched once automatically — that's how key rotation works without restart.

Exceptions

Class	When
`ConfigurationException`	Missing required field in `Configuration`
`TransportException`	Network failure (cURL error, DNS, TLS, timeout)
`OAuthServerException`	Auth server returned an `error` (e.g. `invalid_grant`, `invalid_client`).
`TokenVerificationException`	JWT signature / `iss` / `aud` / `exp` / `typ` / required-claim / `nonce` validation failed
`AuthorizationException`	Missing role / group / scope, wrong `token_use`
`AuthClientException`	Base — catch this for anything thrown by the SDK

Full mapping with retry guidance: docs/error-handling.md.

Examples

File	Demonstrates
examples/web-app-callback.php	Full auth-code+PKCE flow (login / callback / api / logout)
examples/service-token.php	M2M client_credentials, one-shot
examples/service-account-cached.php	M2M with token caching for long-running workers
examples/verify-token.php	Resource-server style: verify Bearer JWT on inbound requests
examples/psr15-middleware.php	Reusable PSR-15 middleware for any PSR-15 framework
examples/lambda-handler.php	AWS Lambda (Bref) handler with APCu-backed JWKS cache
examples/scope-authorization.php	Scope/role-based access control patterns
examples/smoke.php	End-to-end smoke against a running auth server

Local development against a dev auth server

Testing

Unit tests use no network and no live auth server. To smoke-test the wire protocol against a running server, run examples/smoke.php with valid credentials in env.

License

MIT. See LICENSE.

All versions of auth-client with dependencies

PHP Build Version

Package Version

Version v2.0.1 Release 08. Jun 2026
create-project require 0 people chose require and
0 people chose create-project.

Download

Download latest version of auth-client from vendor stromcom

Requires php Version ^8.3
ext-curl Version *
ext-json Version *
ext-openssl Version *
lcobucci/jwt Version ^5.5

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package stromcom/auth-client contains the following files

Loading the files please wait ...