Skip to content

Latest commit



127 lines (99 loc) · 4.5 KB

File metadata and controls

127 lines (99 loc) · 4.5 KB

OAuth 2.0 OpenID Connect Client

This package uses the PHP League's OAuth2 Client and this JWT Token Library to provide an OAuth2 OpenID Connect client.


The following versions of PHP are supported.

  • PHP 5.6
  • PHP 7.0-7.4
  • PHP 8.0


You may test your OpenID Connect Client against bshaffer's demo oauth2 server.

$signer   = new \Lcobucci\JWT\Signer\Rsa\Sha256();
$provider = new \OpenIDConnectClient\OpenIDConnectProvider([
        'clientId'                => 'demoapp',   
        'clientSecret'            => 'demopass',  
        // Your server
        'redirectUri'             => '',
        // Settings of the OP (OpenID provider)
        // The issuer of the identity token (id_token) this will be compared with what is returned in the token.
        'idTokenIssuer'           => '',                
        'urlAuthorize'            => '',
        'urlAccessToken'          => '',
        'urlResourceOwnerDetails' => '',                
        // Find the public key here:
        // to test against
        'publicKey'               => 'file:///myproj/data/public.key',
        // Alternatively, you can use automatic discovery as long as your server
        // has the <issuer>/.well-known/openid-configuration endpoint
        'issuer'                  => ''
        'signer' => $signer

// send the authorization request
if (empty($_GET['code'])) {
    $redirectUrl = $provider->getAuthorizationUrl();
    header(sprintf('Location: %s', $redirectUrl), true, 302); 

// receive authorization response
try {
    $token = $provider->getAccessToken('authorization_code', [
        'code' => $_GET['code']
} catch (\OpenIDConnectClient\Exception\InvalidTokenException $e) {
    $errors = $provider->getValidatorChain()->getMessages();

$accessToken    = $token->getToken();
$refreshToken   = $token->getRefreshToken();
$expires        = $token->getExpires();
$hasExpired     = $token->hasExpired();
$idToken        = $token->getIdToken();
$email          = $idToken->getClaim('email', false);
$allClaims      = $idToken->getClaims();

Run the Example

An example client has been provided and can be found in the /example directory of this repository. To run the example you can utilize PHPs built-in web server.

$ php -S localhost:8081 client.php

Then open this link: http://localhost:8081/

This should send you to bshaffer's OAuth2 Live OpenID Connect Demo site.

Token Verification

The id_token is verified using the lcobucci/jwt library. You will need to pass the appropriate signer and publicKey to the OpenIdConnectProvider.


Via Composer

$ composer require steverhoades/oauth2-openid-connect-client

Clock difference tolerance in nbf

Some clock difference can be tolerated between the IdP and the SP by using the nbfToleranceSeconds option in the getAccessToken method call.


// receive authorization response
try {
    $token = $provider->getAccessToken('authorization_code', [
        'code' => $_GET['code'],
        //adds 60 seconds to currentTime to tolerate 1 minute difference in clocks between IdP and SP
        'nbfToleranceSeconds' => 60 
} catch (\OpenIDConnectClient\Exception\InvalidTokenException $e) {
    $errors = $provider->getValidatorChain()->getMessages();


The MIT License (MIT). Please see License File for more information.