Overview
chillerlan/php-oauth
is a transparent, framework-agnostic, easily extensible PHP
PSR-18 OAuth 1/2 client with a user-friendly API,
fully PSR-7/PSR-17 compatible.
Features
OAuth client capabilities
-
CSRF Token (“state” parameter)
RFC-7636: PKCE (Proof Key for Code Exchange)
RFC-9126: PAR (Pushed Authorization Requests)
Proprietary, OAuth-like authorization flows (e.g. Last.fm)
Invalidation of access tokens (if supported by the provider)
Several built-in provider implementations (see below)
Provider instances act as PSR-18 HTTP client, wrapping the given PSR-18 HTTP instance
Requests to the provider API will have required OAuth headers and tokens added automatically
Optional token encryption via
sodium_crypto_secretbox()
for the internal storage enginesA unified user data object
AuthenticatedUser
via theOAuthInterface::me()
method
Requirements
Supported Providers
Provider |
keys |
revoke |
ver |
User |
CSRF |
PKCE |
CC |
TR |
TI |
---|---|---|---|---|---|---|---|---|---|
2 |
✓ |
✓ |
✓ |
||||||
2 |
✓ |
✓ |
✓ |
||||||
2 |
✓ |
✓ |
✓ |
||||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
2 |
✓ |
✓ |
|||||||
2 |
✓ |
✓ |
✓ |
✓ |
✓ |
||||
1 |
✓ |
||||||||
2 |
✓ |
✓ |
✓ |
✓ |
✓ |
||||
1 |
✓ |
||||||||
2 |
✓ |
||||||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
2 |
✓ |
✓ |
✓ |
||||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
2 |
✓ |
✓ |
|||||||
2 |
✓ |
||||||||
2 |
✓ |
✓ |
✓ |
||||||
- |
✓ |
||||||||
2 |
✓ |
✓ |
|||||||
2 |
✓ |
✓ |
✓ |
||||||
2 |
✓ |
✓ |
|||||||
2 |
✓ |
||||||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
1 |
✓ |
||||||||
1 |
✓ |
||||||||
2 |
✓ |
✓ |
|||||||
2 |
✓ |
✓ |
✓ |
||||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
2 |
✓ |
✓ |
✓ |
||||||
2 |
✓ |
✓ |
✓ |
✓ |
✓ |
||||
2 |
✓ |
✓ |
|||||||
2 |
✓ |
✓ |
✓ |
||||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
- |
✓ |
||||||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
1 |
✓ |
||||||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
2 |
✓ |
✓ |
✓ |
✓ |
✓ |
||||
1 |
✓ |
||||||||
2 |
✓ |
||||||||
2 |
✓ |
✓ |
✓ |
✓ |
|||||
2 |
✓ |
✓ |
|||||||
2 |
✓ |
✓ |
Legend:
Provider: the name of the provider class and link to their API documentation
keys: links to the provider’s OAuth application creation page
revoke: links to the OAuth application access revocation page in the provider’s user profile
ver: the OAuth version(s) supported by the provider
User: indicates that the provider offers information about the currently authenticated user via the
me()
method (implements theUserInfo
interface)CSRF: indicates that the provider uses CSRF protection via the
state
parameter (implements theCSRFToken
interface)PKCE: indicates that the provider supports Proof Key for Code Exchange (implements the
PKCE
interface)CC: indicates that the provider supports the Client Credentials Grant (implements the
ClientCredentials
interface)TR: indicates that the provider is capable of refreshing an access token (implements the
TokenRefresh
interface)TI: indicates that the provider is capable of revoking/invalidating an access token (implements the
TokenInvalidate
interface)
Shameless advertising
Hi, please check out some of my other projects!
php-qrcode - a QR code generator and reader with a user-friendly API
php-authenticator - yet another Google Authenticator implementation
php-httpinterface - a PSR-7/17/18 implemetation
php-database - a database client & querybuilder for MySQL, Postgres, SQLite, MSSQL, Firebird
php-tootbot - a Mastodon bot library