digitalcz/openid-connect

PHP implementation of OpenID Connect using symfony/contracts

Maintainers

Details

github.com/digitalcz/openid-connect

Homepage

Source

Issues

Installs: 15 966

Dependents: 0

Suggesters: 0

Security: 0

Stars: 4

Watchers: 2

Forks: 1

Open Issues: 7

v1.1.0 2025-09-22 14:04 UTC

Requires

Requires (Dev)

MIT 2284742311a11ba5d86617d29abee9bb08897fe1

symfonyphpOpenIdOpenID Connectoidc

This package is auto-updated.

Last update: 2025-09-23 12:02:40 UTC

README

Latest Stable Version Total Downloads Latest Unstable Version License PHP Version Require CI codecov

PHP implementation of OpenID Connect using symfony/contracts

Install

Via Composer

$ composer require digitalcz/openid-connect

Usage

Initialization

Using the OIDC discovery endpoint

use DigitalCz\OpenIDConnect\OidcFactory;
use Symfony\Component\HttpClient\HttpClient;

$httpClient = HttpClient::create();

$oidc = OidcFactory::create(
    httpClient: $httpClient,
    issuer: 'https://auth.example.com',
    clientId: 'my-client-id',
    clientSecret: 'my-client-secret',
    redirectUri: 'https://myapp.example.com/callback',
);
Using manual issuer configuration 
use DigitalCz\OpenIDConnect\OidcFactory;
use DigitalCz\OpenIDConnect\Config\IssuerMetadata;
use Symfony\Component\HttpClient\HttpClient;

$httpClient = HttpClient::create();

$issuerMetadata = new IssuerMetadata([
    'authorization_endpoint' => 'https://auth.example.com/authorize',
    'token_endpoint' => 'https://auth.example.com/token',
    'jwks_uri' => 'https://auth.example.com/.well-known/jwks.json',
    'issuer' => 'https://auth.example.com',
]);

$oidc = OidcFactory::create(
    httpClient: $httpClient,
    issuer: $issuerMetadata,
    clientId: 'my-client-id',
    clientSecret: 'my-client-secret',
    redirectUri: 'https://myapp.example.com/callback',
);

Configuration Options

The OidcFactory::create() method accepts the following configuration options:

Parameter Type Required Default Description
httpClient HttpClientInterface - HTTP client for making requests
issuer string|array|IssuerMetadata - Issuer URL for discovery, metadata array, or IssuerMetadata instance
clientId string - OAuth2/OIDC client identifier
clientSecret string|null - null OAuth2/OIDC client secret (required for some authentication methods)
redirectUri string|null - null Redirect URI for authorization code flow
defaultScopes string|array - ['openid', 'profile', 'email'] Default scopes to request (space-separated string or array)
authenticationMethod string|AuthenticationMethod - client_secret_post Client authentication method for token endpoint
pkceMethod string|PkceMethod - S256 PKCE method for authorization code flow (S256, plain, or none)
cache CacheInterface|null - null Optional cache for storing discovery metadata and JWKS
clock ClockInterface - SimpleClock Clock implementation for time-based operations
cacheSecret string - 'default-oidc-cache-secret' Secret used for HMAC-based cache key generation
privateKey string|null - null PEM-encoded private key for private_key_jwt authentication
privateKeyJwk JWK|null - null JWK private key for private_key_jwt authentication (alternative to privateKey)
tokenEndpointAuthSigningAlg string|null - null Signature algorithm for client assertion JWT (e.g., 'HS256', 'RS256')
clientAssertionAudience string|null - null Audience claim for client assertion JWT. Special values: '{issuer}', '{token_endpoint}', or custom URL

Authentication Methods

  • client_secret_post - Send client credentials in POST body
  • client_secret_basic - Send client credentials in Authorization header
  • client_secret_jwt - Use JWT signed with client secret
  • private_key_jwt - Use JWT signed with private key
  • none - No client authentication (public clients)

Authorization Code flow

Step 1 - Redirect the user to authorization endpoint

$authorizationCode = $oidc->authorizationCode();

$url = $authorizationCode->createAuthorizationUrl([
    'state' => 'random-state',
    'nonce' => 'random-nonce'
]);

// Redirect user to $url

Step 2 - Handle the callback and exchange code for tokens

// Get the authorization code from the callback URL
$code = $_GET['code'];
$nonce = 'random-nonce'; // Same nonce used in step 1

$tokens = $authorizationCode->fetchTokens($code, $nonce);

echo "Access Token: " . $tokens->accessToken() . PHP_EOL;
echo "ID Token: " . $tokens->idToken() . PHP_EOL;
echo "Refresh Token: " . $tokens->refreshToken() . PHP_EOL;

Client Credentials flow

$clientCredentials = $oidc->clientCredentials();
$tokens = $clientCredentials->fetchTokens();

echo "Access Token: " . $tokens->accessToken() . PHP_EOL;

Resource Server (Token Validation)

use DigitalCz\OpenIDConnect\ResourceServer\JwtAccessToken;
use DigitalCz\OpenIDConnect\ResourceServer\OpaqueAccessToken;
use DigitalCz\OpenIDConnect\Util\JWT;

$resourceServer = $oidc->resourceServer();

$accessToken = new JwtAccessToken($jwt);
$validatedToken = $resourceServer->introspect($accessToken);

echo "Token is valid for subject: " . $validatedToken->sub() . PHP_EOL;
echo "Token expires at: " . date('Y-m-d H:i:s', $validatedToken->exp()) . PHP_EOL;

See examples for more complete examples

Testing

$ composer csfix    # fix codestyle
$ composer checks   # run all checks 

# or separately
$ composer tests    # run phpunit
$ composer phpstan  # run phpstan
$ composer cs       # run codesniffer

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email devs@digital.cz instead of using the issue tracker.

Credits

License

The MIT License (MIT). Please see License File for more information.