bambamboole / laravel-oidc
OpenID Connect provider layer for Laravel Passport
Requires
- php: ^8.4
- bacon/bacon-qr-code: ^3.1
- laravel/passkeys: ^0.2
- laravel/passport: ^13.4
- lcobucci/jwt: ^5.0
- phpseclib/phpseclib: ^3.0.15
- pragmarx/google2fa: ^9.0
Requires (Dev)
- larastan/larastan: ^3.0
- laravel/boost: ^2.4
- laravel/pint: ^1.16
- mockery/mockery: ^1.6
- mrpunyapal/peststan: ^0.2.10
- orchestra/testbench: ^9.0 || ^10.0 || ^11.0
- pestphp/pest: ^4.0
- pestphp/pest-plugin-laravel: ^4.0
This package is auto-updated.
Last update: 2026-07-15 20:47:41 UTC
README
An OIDC-capable auth server built as a Laravel package โ turn your Laravel app into a full OpenID Connect identity provider that other applications authenticate their users against.
The package provides the complete protocol surface of an identity provider and, optionally, a complete authentication engine (login, registration, MFA) that your app fills with its own views and actions.
๐ Read the documentation โ
What you get
OIDC provider
- Signed RS256
id_tokens, a/.well-known/openid-configurationdiscovery document, and a JWKS endpoint (RFC 7638kids). userinfo, RP-initiated logout, OIDC back-channel logout, RFC 7662 introspection, and RFC 7009 revocation.- RFC 9068 structured
at+jwtaccess tokens. - RFC 8693 token exchange, with a self-contained
CheckAudienceresource-server middleware. - Per-grant claim hooks and a swappable
ClaimsResolver/ScopeRepository/ExchangePolicy. - Env-based signing keys (
OIDC_PRIVATE_KEY/OIDC_PUBLIC_KEY) with a built-in rotation command.
Auth engine (optional)
- Package-owned login, registration, password reset, email verification, and password confirmation, driven by view and action seams your app fills.
- Multi-factor authentication: TOTP, recovery codes, and passkeys (WebAuthn).
- A post-login pipeline with a single decision hook (
requireMfa/deny/ add claims) andacr/amremission.
Requirements
- PHP
^8.4 - Laravel 11, 12, or 13
laravel/passport^13.4โ the OAuth2 core the package builds on
Installation
composer require bambamboole/laravel-oidc # Publish and run the migrations (extends oauth_clients + adds the package's own tables) php artisan vendor:publish --tag=oidc-migrations php artisan migrate # Generate env-based, rotatable RSA signing keys (OIDC_PRIVATE_KEY / OIDC_PUBLIC_KEY) php artisan oidc:rotate-keys # Optional: publish the config php artisan vendor:publish --tag=oidc-config
The service provider is auto-discovered. Set OIDC_ISSUER to your provider's public origin โ
every URL advertised in discovery is derived from it.
See the Installation guide
for the full walkthrough, and Configuration
for every config/oidc.php key.
Built on Passport
Under the hood, the OAuth2 core is Laravel Passport 13 โ the package extends and
reconfigures it rather than reimplementing an authorization server. On registration it calls
Passport::ignoreRoutes() and registers the full /oauth/* route surface itself, so that:
- OIDC scopes,
max_age, and theid_tokenresponse type are wired in. - PKCE is required on every authorization request (OAuth 2.1 ยง4.1.1/ยง7.6), for confidential clients too.
- Passport's optional JSON API management routes are not registered โ register them yourself if you need them.
- The access-token entity is swapped to
OidcAccessTokenand the response type toIdTokenResponse.
Documentation
The full documentation lives at bambamboole.github.io/laravel-oidc and is built with Starlight. To run it locally:
npm install npm run docs:dev
Testing
composer check # pint --test, phpstan (level 6), and the pest suite
CI runs the suite across Laravel 11/12/13 on every push and pull request.
License
MIT. See LICENSE.