OAuth2 OpenID Connect Client that utilizes the PHP Leagues OAuth2 Client

v2.0.0 2023-01-13 18:13 UTC


This package uses the PHP League's OAuth2 Client and this JWT Token Library to provide an OAuth2 OpenID Connect client.


The following versions of PHP are supported.

  • PHP 7.4
  • PHP 8.0
  • PHP 8.1


You may test your OpenID Connect Client against bshaffer's demo oauth2 server.

$signer   = new \Lcobucci\JWT\Signer\Rsa\Sha256();
$provider = new \OpenIDConnectClient\OpenIDConnectProvider([
        'clientId'                => 'demoapp',
        'clientSecret'            => 'demopass',
        // the issuer of the identity token (id_token) this will be compared with what is returned in the token.
        'idTokenIssuer'           => '',
        // Your server
        'redirectUri'             => '',
        'urlAuthorize'            => '',
        'urlAccessToken'          => '',
        'urlResourceOwnerDetails' => '',
        // Find the public key here:
        // to test against
        'publicKey'                 => 'file:///myproj/data/public.key',
        'signer' => $signer

// send the authorization request
if (empty($_GET['code'])) {
    $redirectUrl = $provider->getAuthorizationUrl();
    header(sprintf('Location: %s', $redirectUrl), true, 302);

// receive authorization response
try {
    $token = $provider->getAccessToken('authorization_code', [
        'code' => $_GET['code']
} catch (\OpenIDConnectClient\Exception\InvalidTokenException $e) {
    $errors = $provider->getValidatorChain()->getMessages();

$accessToken    = $token->getToken();
$refreshToken   = $token->getRefreshToken();
$expires        = $token->getExpires();
$hasExpired     = $token->hasExpired();
$idToken        = $token->getIdToken();
$email          = $idToken->claims()->get('email', false);
$allClaims      = $idToken->claims();

Run the Example

An example client has been provided and can be found in the /example directory of this repository. To run the example you can utilize PHPs built-in web server.

$ php -S localhost:8081 client.php

Then open this link: http://localhost:8081/

This should send you to bshaffer's OAuth2 Live OpenID Connect Demo site.

Token Verification

The id_token is verified using the lcobucci/jwt library. You will need to pass the appropriate signer and publicKey to the OpenIdConnectProvider.


Via Composer

$ composer require steverhoades/oauth2-openid-connect-client

Clock difference tolerance in nbf

Some clock difference can be tolerated between the IdP and the SP by using the nbfToleranceSeconds option in the getAccessToken method call.


// receive authorization response
try {
    $token = $provider->getAccessToken('authorization_code', [
        'code' => $_GET['code'],
        //adds 60 seconds to currentTime to tolerate 1 minute difference in clocks between IdP and SP
        'nbfToleranceSeconds' => 60
} catch (\OpenIDConnectClient\Exception\InvalidTokenException $e) {
    $errors = $provider->getValidatorChain()->getMessages();


The MIT License (MIT). Please see License File for more information.