Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

IBM App ID Provider for OAuth 2.0 Client

Build Status Scrutinizer coverage (GitHub/BitBucket) GitHub release (latest SemVer) PHP from Packagist Scrutinizer Code Quality GitHub tag (latest SemVer) GitHub Packagist GitHub contributors GitHub last commit contributions welcome

This package provides IBM App ID OAuth 2.0 support for the PHP League's OAuth 2.0 Client. Please, read this page for full documentation.


To install, use composer:

composer require jampire/oauth2-appid


Usage is the same as The League's OAuth client, using \Jampire\OAuth2\Client\Provider\AppIdProvider as the provider.

Use baseAuthUri to specify the IBM App ID base server URL. You can lookup the correct value from the Application settings of your IBM App ID service under oAuthServerUrl without tenantId section, eg.

Use tenantId to specify the IBM App ID tenant ID. You can lookup the correct value from the Application settings of your IBM App ID service under tenantId, eg. abcd-efgh-1234-5678-mnop.

All other values you can find in Application settings of your IBM App ID service.

Do not forget to register your redirect URL in your IBM App ID whitelist. Please, read IBM App ID documentation.

Authorization Code Flow


require_once __DIR__ . '/vendor/autoload.php';

use Jampire\OAuth2\Client\Provider\AppIdProvider;
use Jampire\OAuth2\Client\Provider\AppIdException;


try {
    $provider = new AppIdProvider([
        'baseAuthUri'   => '{baseAuthUri}',
        'tenantId'      => '{tenantId}',
        'clientId'      => '{clientId}',
        'clientSecret'  => '{clientSecret}',
        'redirectUri'   => '{redirectUri}',
} catch (AppIdException $e) {
    exit('Failed to create provider: ' . $e->getMessage());

if (!isset($_GET['code'])) {
    // If we don't have an authorization code then get one

    // Fetch the authorization URL from the provider; this returns the
    // urlAuthorize option and generates and applies any necessary parameters
    // (e.g. state).
    $authorizationUrl = $provider->getAuthorizationUrl();

    // Get the state generated for you and store it to the session.
    $_SESSION['oauth2state'] = $provider->getState();

    // Redirect the user to the authorization URL.
    header('Location: ' . $authorizationUrl);

if (empty($_GET['state']) || (isset($_SESSION['oauth2state']) && $_GET['state'] !== $_SESSION['oauth2state'])) {
    // Check given state against previously stored one to mitigate CSRF attack
    if (isset($_SESSION['oauth2state'])) {
    exit('Invalid state');


try {
    // Try to get an access token using the authorization code grant.
    $accessToken = $provider->getAccessToken('authorization_code', [
        'code' => $_GET['code']

    // We have an access token, which we may use in authenticated
    // requests against the service provider's API.
    echo '<b>Access Token:</b> ', $accessToken->getToken(), '<br>';
    echo '<b>Refresh Token:</b> ', $accessToken->getRefreshToken(), '<br>';
    echo '<b>Expired in:</b> ', $accessToken->getExpires(), '<br>';
    echo '<b>Already expired?</b> ', ($accessToken->hasExpired() ? 'expired' : 'not expired'), '<br>';

    // Using the access token, we may look up details about the
    // resource owner.
    $resourceOwner = $provider->getResourceOwner($accessToken);
} catch (Exception $e) {
    // Failed to get the access token or user details.



$ ./vendor/bin/phpunit


Please see CONTRIBUTING for details.



The MIT License (MIT). Please see License File for more information.