Skip to content
An OpenID Connect Server that sites on The PHP League's OAuth2 Server
Branch: master
Clone or download
Pull request Compare This branch is 39 commits behind steverhoades:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
src remove setClaims method as cannot reset the claimSets collection Oct 14, 2016
.gitignore add id_token to OAuth2 Authorization response Oct 14, 2016
LICENSE Update Oct 31, 2016

OAuth 2.0 OpenID Connect Server

This implements the OpenID Connect specification on top of The PHP League's OAuth2 Server.


The following versions of PHP are supported.

  • PHP 5.5
  • PHP 5.6
  • PHP 7.0


The following classes will need to be configured and passed to the AuthorizationServer in order to provide OpenID Connect functionality.

  1. IdentityRepository. This should implement the IdentityRepositoryInterface and return the identity of the user based on the return value of $accessToken->getUserIdentifier().
  2. ClaimSet. ClaimSet is a way to associate claims to a given scope.
  3. ClaimExtractor. The ClaimExtractor takes an array of ClaimSets and in addition provides default claims for the OpenID Connect specified scopes of: profile, email, phone and address.
  4. IdTokenResponse. This class must be passed to the AuthorizationServer during construction and is responsible for adding the id_token to the response.

Example Configuration

// Init Repositories
$clientRepository       = new ClientRepository();
$scopeRepository        = new ScopeRepository();
$accessTokenRepository  = new AccessTokenRepository();
$authCodeRepository     = new AuthCodeRepository();
$refreshTokenRepository = new RefreshTokenRepository();

$privateKeyPath = 'file://' . __DIR__ . '/../private.key';
$publicKeyPath = 'file://' . __DIR__ . '/../public.key';

// OpenID Connect Response Type
$responseType = new IdTokenResponse(new IdentityRepository(), new ClaimExtractor());

// Setup the authorization server
$server = new \League\OAuth2\Server\AuthorizationServer(

$grant = new \League\OAuth2\Server\Grant\AuthCodeGrant(
    new \DateInterval('PT10M') // authorization codes will expire after 10 minutes

$grant->setRefreshTokenTTL(new \DateInterval('P1M')); // refresh tokens will expire after 1 month

// Enable the authentication code grant on the server
    new \DateInterval('PT1H') // access tokens will expire after 1 hour

return $server;

After the server has been configured it should be used as described in the OAuth2 Server documentation.


Via Composer

$ composer require steverhoades/oauth2-openid-connect-server


The MIT License (MIT). Please see License File for more information.

You can’t perform that action at this time.