README

A transparent, framework-agnostic, easily extensible PHP PSR-18 OAuth client with a user-friendly API, fully PSR-7/PSR-17 compatible.

Overview

Features

• OAuth client capabilities
  • OAuth 1.0a (RFC-5849)
  • OAuth 2.0 (RFC-6749)
    • Authorization Code Grant
    • Client Credentials Grant
    • Token refresh
    • CSRF Token ("state" parameter)
    • RFC-7009: Token Revocation
    • RFC-7636: PKCE (Proof Key for Code Exchange)
    • RFC-9126: PAR (Pushed Authorization Requests)
    • RFC-9449: DPoP (Demonstrating Proof of Possession) (planned)
  • Proprietary, OAuth-like authorization flows (e.g. Last.fm)
  • Invalidation of access tokens (if supported by the provider)
• Several built-in provider implementations (see below)
  • Provider instances act as PSR-18 HTTP client, wrapping the given PSR-18 HTTP instance
  • Requests to the provider API will have required OAuth headers and tokens added automatically
• Optional token encryption via sodium_crypto_secretbox() for the internal storage engines
• A unified user data object AuthenticatedUser via the OAuthInterface::me() method

Requirements

• PHP 8.1+
  • extensions: json, sodium
    • from dependencies: curl, fileinfo, intl, mbstring, simplexml, zlib
• a PSR-18 compatible HTTP client library of your choice
• PSR-17 compatible RequestFactory, StreamFactory and UriFactory

Documentation

• The user manual is at https://php-oauth.readthedocs.io/ (sources)
• An API documentation created with phpDocumentor can be found at https://chillerlan.github.io/php-oauth/
• The documentation for the AccessToken, AuthenticatedUser and OAuthOptions containers can be found here: chillerlan/php-settings-container
• There is the suite of get-token examples, which is mostly intended for development, and there are self-contained examples for a quickstart:
  • OAuth1 example
  • OAuth2 example

Installation with composer

See the installation guide for more info!

Terminal

composer require chillerlan/php-oauth

composer.json

{
	"require": {
		"php": "^8.1",
		"chillerlan/php-oauth": "^1.0"
	}
}

Note: check the releases for valid versions.

Implemented Providers

Legend:

• Provider: the name of the provider class and link to their API documentation
• keys: links to the provider's OAuth application creation page
• revoke: links to the OAuth application access revocation page in the provider's user profile
• ver: the OAuth version(s) supported by the provider
• User: indicates that the provider offers information about the currently authenticated user via the me() method (implements the UserInfo interface)
• CSRF: indicates that the provider uses CSRF protection via the state parameter (implements the CSRFToken interface)
• PKCE: indicates that the provider supports Proof Key for Code Exchange (implements the PKCE interface)
• CC: indicates that the provider supports the Client Credentials Grant (implements the ClientCredentials interface)
• TR: indicates that the provider is capable of refreshing an access token (implements the TokenRefresh interface)
• TI: indicates that the provider is capable of revoking/invalidating an access token (implements the TokenInvalidate interface)

Disclaimer

OAuth tokens are secrets and should be treated as such. Store them in a safe place, consider encryption.
I don't take responsibility for stolen OAuth tokens. Use at your own risk.

Privacy policy

This library does not store or process user data on its own - it only handles the OAuth flow for an application.
Implementers are responsible for a proper privacy policy in accordance with the service providers.