Note 1: this library is still in development. The first stable release will be tagged as v1.0.x. All tags v0.x.y must be considered as unstable.

Note 2: if you use Symfony, a bundle is in development.

This library provides components to build an authorization server based on the OAuth2 Framework protocol (RFC6749) and associated features.

The following components are implemented:

• Access token manager:

  • Simple string access token
  • JWT access token

• Access token type:

  • Bearer access token (RFC6750)
  • MAC access (IETF draft) - The implementation is stopped until the specification has not reach maturity

• Exception manager

• Scope manager (RFC6749, section 3.3)

• Clients:

  • Public clients (RFC6749, section 2.1)
    • Proof Key for Code Exchange by OAuth Public Clients (RFC7636)
  • Password clients (RFC6749, section 2.3.1)
    • HTTP Basic Authentication Scheme (RFC2617) - Note: (RFC7617) support is scheduled
    • HTTP Digest Authentication Scheme (RFC2617) - Note: (RFC7616) support is scheduled
    • Credentials from request body
  • SAML clients (RFC7522) - Help requested!
  • JWT clients (RFC7523)
  • Unregistered clients (RFC6749, section 2.4)

• Endpoints:

  • Authorization endpoint (RFC6749, section 3.1)
  • Token endpoint (RFC6749, section 3.2)
  • Token revocation endpoint (RFC7009)
  • Token introspection endpoint (RFC7662)

• Grant types:

  • Authorization code grant type (RFC6749, section 4.1)
  • Implicit grant type (RFC6749, section 4.2)
  • Resource Owner Password Credentials grant type (RFC6749, section 4.3)
  • Client credentials grant type (RFC6749, section 4.4)
  • Refresh token grant type (RFC6749, section 6)
  • SAML grant type (RFC7522) - Help requested!
  • JWT Bearer token grant type (RFC7523)

• OpenID Connect

  • Core
  • Discovery
  • Dynamic Registration
  • Multiple response types
  • Form post response mode
  • Session Management
  • HTTP Based logout

The release process is described here.

This library needs at least .

It has been successfully tested using PHP 5.5.9, PHP 5.6, PHP 7 and HHVM.

The preferred way to install this library is to rely on Composer:

composer require "spomky-labs/oauth2-server-library" "dev-master"

Look at Extend classes for more information and examples.

Have a look at How to use to use OAuth2 server and handle your first requests.

Requests for new features, bug fixed and all other ideas to make this library useful are welcome. Please follow these best practices.

This library is release under MIT licence.