chillerlan / php-oauth
A fully transparent, framework agnostic PSR-18 OAuth client.
                                    Fund package maintenance!
                                                                            
                                                                                                                                        Ko-Fi
                                                                                    
                                                                
Installs: 7 887
Dependents: 2
Suggesters: 5
Security: 0
Stars: 43
Watchers: 3
Forks: 0
Open Issues: 3
pkg:composer/chillerlan/php-oauth
Requires
- php: ^8.1
- ext-json: *
- ext-sodium: *
- chillerlan/php-http-message-utils: ^2.2.2
- chillerlan/php-settings-container: ^3.2.1
- chillerlan/php-standard-utilities: ^1.0
- psr/http-client: ^1.0
- psr/http-message: ^1.1 || ^2.0
- psr/log: ^1.1 || ^2.0 || ^3.0
Requires (Dev)
- chillerlan/php-dotenv: ^3.0
- chillerlan/phpunit-http: ^1.0
- guzzlehttp/guzzle: ^7.9
- monolog/monolog: ^3.7
- phpmd/phpmd: ^2.15
- phpstan/phpstan: ^1.12
- phpstan/phpstan-deprecation-rules: ^1.2
- phpunit/phpunit: ^10.5
- slevomat/coding-standard: ^8.15
- squizlabs/php_codesniffer: ^3.10
Suggests
- chillerlan/php-httpinterface: ^6.0 - an alternative PSR-18 HTTP Client
Provides
This package is auto-updated.
Last update: 2025-10-07 15:12:42 UTC
README
A transparent, framework-agnostic, easily extensible PHP PSR-18 OAuth client with a user-friendly API, fully PSR-7/PSR-17 compatible.
Overview
Features
- OAuth client capabilities
- OAuth 1.0a (RFC-5849)
- OAuth 2.0 (RFC-6749)
- Authorization Code Grant
- Client Credentials Grant
- Token refresh
- CSRF Token ("state" parameter)
- RFC-7009: Token Revocation
- RFC-7636: PKCE (Proof Key for Code Exchange)
- RFC-9126: PAR (Pushed Authorization Requests)
- RFC-9449: DPoP (Demonstrating Proof of Possession)(planned)
 
- Proprietary, OAuth-like authorization flows (e.g. Last.fm)
- Invalidation of access tokens (if supported by the provider)
 
- Several built-in provider implementations (see below)
- Provider instances act as PSR-18 HTTP client, wrapping the given PSR-18 HTTP instance
- Requests to the provider API will have required OAuth headers and tokens added automatically
 
- Optional token encryption via sodium_crypto_secretbox()for the internal storage engines
- A unified user data object AuthenticatedUservia theOAuthInterface::me()method
Requirements
- PHP 8.1+
- extensions: json,sodium- from dependencies: curl,fileinfo,intl,mbstring,simplexml,zlib
 
- from dependencies: 
 
- extensions: 
- a PSR-18 compatible HTTP client library of your choice
- PSR-17 compatible RequestFactory,StreamFactoryandUriFactory
Documentation
- The user manual is at https://php-oauth.readthedocs.io/ (sources)
- An API documentation created with phpDocumentor can be found at https://chillerlan.github.io/php-oauth/
- The documentation for the AccessToken,AuthenticatedUserandOAuthOptionscontainers can be found here: chillerlan/php-settings-container
- There is the suite of get-token examples, which is mostly intended for development, and there are self-contained examples for a quickstart:
Installation with composer
See the installation guide for more info!
Terminal
composer require chillerlan/php-oauth
composer.json
{
	"require": {
		"php": "^8.1",
		"chillerlan/php-oauth": "^1.0"
	}
}
Note: check the releases for valid versions.
Implemented Providers
Legend:
- Provider: the name of the provider class and link to their API documentation
- keys: links to the provider's OAuth application creation page
- revoke: links to the OAuth application access revocation page in the provider's user profile
- ver: the OAuth version(s) supported by the provider
- User: indicates that the provider offers information about the currently authenticated user via the me()method (implements theUserInfointerface)
- CSRF: indicates that the provider uses CSRF protection via the stateparameter (implements theCSRFTokeninterface)
- PKCE: indicates that the provider supports Proof Key for Code Exchange (implements the PKCEinterface)
- CC: indicates that the provider supports the Client Credentials Grant (implements the ClientCredentialsinterface)
- TR: indicates that the provider is capable of refreshing an access token (implements the TokenRefreshinterface)
- TI: indicates that the provider is capable of revoking/invalidating an access token (implements the TokenInvalidateinterface)
Disclaimer
OAuth tokens are secrets and should be treated as such. Store them in a safe place,
consider encryption. 
I don't take responsibility for stolen OAuth tokens. Use at your own risk.
Privacy policy
This library does not store or process user data on its own - it only handles the OAuth flow for an application.
Implementers are responsible for a proper privacy policy in accordance with the service providers.