thephpleague/oauth2-server
Stars: 6363
Forks: 1131
Pull Requests: 662
Issues: 707
Watchers: 217
Last Updated: 2023-09-07 09:54:39
A spec compliant, secure by default PHP OAuth 2.0 Server
License: MIT License
Languages: PHP
PHP OAuth 2.0 Server
league/oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
Out of the box it supports the following grants:
- Authorization code grant
- Implicit grant
- Client credentials grant
- Resource owner password credentials grant
- Refresh grant
The following RFCs are implemented:
- RFC6749 "OAuth 2.0"
- RFC6750 " The OAuth 2.0 Authorization Framework: Bearer Token Usage"
- RFC7519 "JSON Web Token (JWT)"
- RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"
This library was created by Alex Bilbie. Find him on Twitter at @alexbilbie.
Requirements
The latest version of this package supports the following versions of PHP:
- PHP 8.0
- PHP 8.1
- PHP 8.2
The openssl and json extensions are also required.
All HTTP messages passed to the server should be PSR-7 compliant. This ensures interoperability with other packages and frameworks.
Installation
composer require league/oauth2-server
Documentation
The library documentation can be found at https://oauth2.thephpleague.com. You can contribute to the documentation in the gh-pages branch.
Testing
The library uses PHPUnit for unit tests.
vendor/bin/phpunit
Continuous Integration
We use Github Actions, Scrutinizer, and StyleCI for continuous integration. Check out our configuration files if you'd like to know more.
Community Integrations
- Drupal
- Laravel Passport
- OAuth 2 Server for CakePHP 3
- OAuth 2 Server for Mezzio
- OAuth 2 Server Bundle (Symfony)
- Heimdall for CodeIgniter 4
Changelog
See the project changelog
Contributing
Contributions are always welcome. Please see CONTRIBUTING.md and CODE_OF_CONDUCT.md for details.
Support
Bugs and feature request are tracked on GitHub.
If you have any questions about OAuth please open a ticket here; please don't email the address below.
Security
If you discover any security related issues, please email [email protected] instead of using the issue tracker.
License
This package is released under the MIT License. See the bundled LICENSE file for details.
Credits
This code is principally developed and maintained by Andy Millington.
Between 2012 and 2017 this library was developed and maintained by Alex Bilbie.
PHP OAuth 2.0 Server is one of many packages provided by The PHP League. To find out more, please visit our website.
Special thanks to all of these awesome contributors.
Additional thanks go to the Mozilla Secure Open Source Fund for funding a security audit of this library.
The initial code was developed as part of the Linkey project which was funded by JISC under the Access and Identity Management programme.
OPEN ISSUES
See all- OpenID Connect by @davidsteinsland
- Support for JWT Bearer Grant Type by @Perni1984
- Support assertions for client authentication by @alexbilbie
- Missing documentation: Custom grants by @pdrosos
- In AuthorizationServer class, grants are keyed by identifier, which also serves for another purpose by @pounard
- RFC 7591/7592 support by @alexplumb
- Auth Code check falls back to server var rather than raw header by @iansltx
- Split AccessTokenRepositoryInterface by @iansltx
- Issue with authorization code flow redirect response "code" parameter length by @pounard
- Making refresh tokens optional by @xiehan
- Validating scopes after user approval in the AuthCode Flow? by @wilsonge
- Feature Request: key_type: pop by @misi
- AccessTokenEntityInterface::getNewToken() and scopes parameter. by @Danack
- Passing expiration timestamp before revoking access/refresh tokens by @stratoss
- AuthorizationValidatorInterface should have setPublicKey method or ResourceServer should not call AuthorizationValidatorInterface::setPublicKey by @kaszkielowicz
- WWW-Authenticate header is not included for access denied errors by @rjmackay
- RSA_KEY_PATTERN in CryptKey.php not working? by @ghost
- How can I translate the return messages? by @gbgelado
- Add custom encoders for token ID and refresh token, not just bin2hex by @mcd-php
- Change AccessTokenRepositoryInterface to accept the complete token instead of just tokenID. by @2blane
- Response code when `Authorization` header or `client_id` is missing by @chervand
- Return `scope` as a token response param by @chervand
- MySQL schema for v6 by @alessandroraffa
- ClientRepositoryInterface::getClientEntity return signature is wrong. by @syrm
- Update Documentation and Add Quickstart by @bretterer
- Token Revocation question by @chervand
- BearerTokenValidator:validateAuthorization seems to incorrectly use the audience claim. by @michaeldnelson
- Package localization by @tpaksu
- Ability to extend the JWT token with information by @leroy0211
- Password grant for SPA's by @boydcl
- Public Key vs Encryption Key by @linuxd3v
- Alternative Fragment Identifier by @Sephster
- Dynamic Client Registration by @NoelDeMartin
- PSR-15 version by @diogodomanski
- Indefinite Refresh Tokens by @Sephster
- Restrict Characters for a Scope by @Sephster
- Error Response is not OAuth2 compliant by @thuethe
- Outsource AbstractGrant::generateUniqueIdentifier by @crtl
- Refresh token handling by @sg3s
- Accept key content directly instead of require a key file by @marc-mabe
- Support Leeway in JWT Validation by @Sephster
- Add PHPStan Strict Rules by @Sephster
- No redirect for some AuthCodeGrant::validateAuthorizationRequest errors by @davispuh
- Return Type Inconsistency by @Sephster
- Support Public Clients for Password and Refresh Token Grant by @Sephster
- Question on refresh token scopes by @Misosooup
- Wrong warning about public key permissions by @jkufner
- Race condition in file permission by @webmake
- Re-instate PHPStan by @Sephster
- Pass JWT Config Item by @Sephster
- Remove backwards compatibility hack for JWT aud by @Sephster
- Add Unauthorized_Client support by @Sephster
- Inappropriate error code 'unsupported_grant_type' during authorization request by @cicnavi
- password grant username for number is not work by @yangjisen
- Support for league/event 3.0.0 by @vaawebdev
- BearerTokenValidator::validateAuthorization requires the JWT to have the 'Not Before' claim by @goldi80
- Using oauth2-server with Slim by @DavidAtanasoski
- Allow Ecdsa keys as oauth2 server by @shyim
- Which OAuth 2.0 grant should I implement? by @PoteRii
- Invalid client (Client authentication failed) when secret contains special characters by @bl0up
- Race condition when issuing access token from authorization code by @pokej6
- examples : "Test Refresh Token" example unclear by @jwoehr
- Add support for RFC8693 - token exchange by @Radiergummi
- Change minimum supported PHP version. by @JimTools
- Is this most likely due to an expired or somehow invalid token? by @justageek
- Custom unique identifier generator by @AurelienPillevesse
- Documentation: AuthCode grant redirect_uri must match authorization request by @iaibai
- RefreshTokenGrant requires client_secret also for non-confidential clients by @PMawesome
- Class "League\Uri\UriString" not found by @jmpecx
- Reuse or revoke existing or access and refresh tokens on new auth by @ctadlock
RELEASES
See all- 2.1.1 by @alexbilbie
- 2.1 by @alexbilbie
- 2.0.5 by @alexbilbie
- 2.0.4 by @alexbilbie
- 2.0.3 by @alexbilbie
- 2.0.2 by @alexbilbie
- 2.0 by @alexbilbie
- 3.0.0 by @alexbilbie
- 3.0.1 by @alexbilbie
- 3.1.0 by @alexbilbie
- 3.1.1 by @alexbilbie
- 3.1.2 by @philsturgeon
- 2.1.2 by @philsturgeon
- 2.1.3 by @alexbilbie
- 3.2.1 by @alexbilbie
- 3.2.2 by @philsturgeon
- 3.2.3 by @alexbilbie
- 3.2.4 by @alexbilbie
- 4.0.0 by @alexbilbie
- 4.0.1 by @alexbilbie
- 4.0.2 by @alexbilbie
- 4.0.3 by @alexbilbie
- 4.0.4 by @alexbilbie
- 4.0.5 by @alexbilbie
- 4.1.0 by @alexbilbie
- 4.1.2 by @alexbilbie
- 4.1.1 by @alexbilbie
- 4.1.3 by @alexbilbie
- 4.1.4 by @alexbilbie
- 4.1.5 by @alexbilbie
- 5.0.0-RC1 by @alexbilbie
- 5.0.0-RC2 by @alexbilbie
- 5.0.0 by @alexbilbie
- 5.0.1 by @alexbilbie
- 5.0.2 by @alexbilbie
- 5.0.3 by @alexbilbie
- 5.1.0 by @alexbilbie
- 5.1.1 by @alexbilbie
- 5.1.4 by @alexbilbie
- 6.0.0 by @alexbilbie
- 5.1.5 by @alexbilbie
- 6.0.2 by @alexbilbie
- 5.1.6 by @Sephster
- 6.1.0 by @Sephster
- 6.1.1 by @Sephster
- 7.0.0 by @Sephster
- 7.1.0 by @Sephster
- 7.1.1 by @Sephster
- 4.1.7 by @Sephster
- 7.2.0 by @Sephster
- 7.3.0 by @Sephster
- 7.3.1 by @Sephster
- 7.3.2 by @Sephster
- 7.3.3 by @Sephster
- 7.4.0 by @Sephster
- 8.0.0 by @Sephster
- 8.1.0 by @Sephster
- 8.1.1 by @Sephster
- 8.2.0 by @Sephster
- 8.2.1 by @Sephster
- 8.2.2 by @Sephster
- 8.2.3 by @Sephster
- 8.2.4 by @Sephster
- 8.3.0 by @Sephster
- 8.3.1 by @Sephster
- 8.3.2 by @Sephster
- 8.3.3 by @Sephster
- 8.3.4 by @Sephster
- 8.3.5 by @Sephster
- 8.3.6 by @Sephster
- 8.5.4 by @Sephster
- 8.4.2 by @Sephster
- 8.5.3 by @Sephster
- 8.5.2 by @Sephster
- 8.5.1 by @Sephster
- 8.5.0 by @Sephster
- 8.4.1 by @Sephster
- 8.4.0 by @Sephster