admin9 / laravel-oidc-client
Laravel OIDC Client package with PKCE support for SSO/SLO authentication
Fund package maintenance!
admin9-labs
Installs: 6
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
pkg:composer/admin9/laravel-oidc-client
Requires
- php: ^8.2
- illuminate/http: ^11.0||^12.0
- illuminate/routing: ^11.0||^12.0
- illuminate/support: ^11.0||^12.0
- spatie/laravel-package-tools: ^1.16
Requires (Dev)
- larastan/larastan: ^3.0
- laravel/pint: ^1.14
- nunomaduro/collision: ^8.8
- orchestra/testbench: ^10.0.0||^9.0.0
- pestphp/pest: ^3.0||^4.0
- pestphp/pest-plugin-arch: ^3.0||^4.0
- pestphp/pest-plugin-laravel: ^3.0||^4.0
- phpstan/extension-installer: ^1.4
- phpstan/phpstan-deprecation-rules: ^2.0
- phpstan/phpstan-phpunit: ^2.0
README
English | 简体中文
A Laravel package for OIDC (OpenID Connect) authentication with PKCE support. Architecture-agnostic — works with Blade, Livewire, Inertia, or any Laravel stack.
Features
- OIDC Authorization Code Flow with PKCE
- Automatic user provisioning from OIDC claims
- Flexible user mapping configuration
- Token revocation and SSO logout support
- Rate limiting on all endpoints
- Event system for authentication lifecycle
Requirements
- PHP 8.2+
- Laravel 11.x or 12.x
- Persistent session driver (redis, database, file)
Installation
composer require admin9/laravel-oidc-client php artisan vendor:publish --tag="oidc-client-config" php artisan vendor:publish --tag="oidc-client-migrations" php artisan migrate
Configuration
Add to .env:
OIDC_AUTH_SERVER_HOST=https://auth.example.com OIDC_CLIENT_ID=your-client-id OIDC_CLIENT_SECRET=your-client-secret OIDC_REDIRECT_URI=http://localhost:8000/auth/callback
Update app/Models/User.php:
protected $fillable = [ 'name', 'email', 'password', 'oidc_sub', 'auth_server_refresh_token', ]; protected $hidden = [ 'password', 'remember_token', 'auth_server_refresh_token', ]; protected function casts(): array { return [ 'email_verified_at' => 'datetime', 'password' => 'hashed', 'auth_server_refresh_token' => 'encrypted', ]; }
Usage
Routes
The package registers these routes:
| Method | URI | Description |
|---|---|---|
| GET | /auth/redirect |
Start OIDC flow |
| GET | /auth/callback |
Handle callback, create session, redirect |
How It Works
- User visits
/auth/redirect— redirected to your OIDC provider - After authentication, the provider redirects back to
/auth/callback - The package exchanges the authorization code for tokens, fetches user info, and creates/updates the local user
- The user is logged in via Laravel's web session guard and redirected to the configured
redirect_url(default:/dashboard)
Login Link
<a href="/auth/redirect">Login with SSO</a>
Handling Errors
Authentication errors are flashed to the session:
@if (session('oidc_error')) <div class="alert alert-danger"> Authentication failed: {{ session('oidc_error_description') }} </div> @endif
Logout
Create a logout controller using OidcService:
use Admin9\OidcClient\Services\OidcService; public function logout(Request $request, OidcService $oidcService) { $user = $request->user(); $oidcService->revokeAuthServerToken($user); Auth::guard('web')->logout(); $request->session()->invalidate(); $request->session()->regenerateToken(); if ($oidcService->isOidcUser($user)) { return redirect($oidcService->getSsoLogoutUrl()); } return redirect('/'); }
Optional Configuration
OIDC_REDIRECT_URL=/dashboard # Where to redirect after login (default: /dashboard) OIDC_POST_LOGOUT_REDIRECT_URL=/ # Where Auth Server redirects after SSO logout (default: /) OIDC_WEB_GUARD=web # Auth guard for session login (default: web)
Documentation
- Configuration - All config options and environment variables
- Troubleshooting - Common issues and solutions
License
MIT