exceed / exauth-oauth
Social login (Google) for exAuth - CodeIgniter 4 authentication library.
Requires
- php: ^8.2
- exceed/exauth: ^1.4
- league/oauth2-google: ^4.0
Requires (Dev)
- mockery/mockery: ^1.0
- phpunit/phpunit: ^10.0
README
Social login (Google) for exAuth — the CodeIgniter 4 authentication library.
Status: Phase 1 — Google only. GitHub / Facebook will follow in phase 2. Compatible with
exceed/exauth ^1.4.
This is a separate package — it does NOT modify the core exceed/exauth
library. It only adds an OAuth identity type, controllers, routes, and a service.
Features
- Login with Google (OpenID Connect)
- Account linking — if the Google email is already registered, the user is asked for their local password to "link" the accounts (prevents account takeover)
- State + PKCE protection (CSRF-safe)
- Tokens stored in
auth_identities.extras(safe, not truncated) - OAuth users are created automatically with a placeholder password +
status = 'oauth'
Install
composer require exceed/exauth-oauth
Setup
Option A — Automatic (recommended)
php spark exauth-oauth:publish
This creates app/Config/OAuth.php with the correct Config namespace that
extends the package base config. Use -f to overwrite an existing file.
Option B — Manual
Create app/Config/OAuth.php (must use the Config namespace and extend the
package base config — NOT a plain copy of the vendor file, which would clash):
<?php namespace Config; use exAuthOauth\Config\OAuth as OAuthBase; class OAuth extends OAuthBase { public bool $enabled = true; public array $google = [ 'clientId' => '....apps.googleusercontent.com', 'clientSecret' => '....', 'redirectUri' => 'https://your-app.com/oauth/google/callback', 'scopes' => ['openid', 'email', 'profile'], ]; }
⚠️ Do NOT
cp vendor/exceed/exauth-oauth/src/Config/OAuth.php app/Config/OAuth.phpas-is — that file uses namespaceexAuthOauth\Config, which collides with the package's own class and causes a fatal error. Always create the app config withnamespace Configandextends exAuthOauth\Config\OAuth(thepublishcommand does this for you).
-
Fill in your Google credentials (from Google Cloud Console) in the
googlearray above. -
Register the routes in
app/Config/Routes.php:
service('oauth')->oauthRoutes($routes);
service('oauth')returns theexAuthOauth\Authfacade (which hasoauthRoutes()). The OAuth provider itself isservice('oauthProvider').
- Add the button to your login view:
<?= view('exAuthOauth\google_button') ?>
The button only appears when
enabled = trueinapp/Config/OAuth.php. When disabled, the snippet returns an empty string — no need to remove the code.
How it works
GET /oauth/google/redirect → save state, redirect to Google
GET /oauth/google/callback → validate state → exchange code → fetch profile
├─ Google identity exists? → login
├─ email matches (local user)? → show "link account" (ask password)
└─ new email? → create user + attach identity → login
Security
| Risk | Mitigation |
|---|---|
| CSRF on callback | Required state (checked against session) |
| Account takeover | Account linking required, no auto-create |
| Token too long | Stored in extras (TEXT) |
Managing links via CLI
# List OAuth accounts linked to a user php spark exauth-oauth:user list -n johndoe # Unlink Google from a user php spark exauth-oauth:user unlink -n johndoe
Roadmap
- Phase 2: GitHub (
league/oauth2-github) - Phase 2: Facebook (
league/oauth2-facebook) - "Set password" for
status = 'oauth'accounts
Guide
- Beginner: see
docs/EXAUTH_BEGINNER_OAUTH_SETUP.md— from zero to logging in with Google, including prerequisites (install exAuth first, then Google Cloud Console).
License
MIT