# thephpleague/oauth2-server

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/thephpleague-oauth2-server).**

6,650 stars · 1,133 forks · PHP · MIT

## Links

- GitHub: https://github.com/thephpleague/oauth2-server
- Homepage: https://oauth2.thephpleague.com
- awesome-repositories: https://awesome-repositories.com/repository/thephpleague-oauth2-server.md

## Topics

`oauth` `oauth2` `oauth2-server` `php`

## Description

This project is a PHP library for implementing a spec-compliant OAuth 2.0 authorization server. It serves as an authentication framework for managing user identities and client authorizations, providing the necessary components to issue and validate access and refresh tokens.

The server supports a wide range of standardized authorization flows, including authorization code exchange, device grants, implicit flows, and PKCE enforcement. It handles complex token lifecycles through refresh token rotation, scope management, and the use of asymmetric keys for signing digital tokens.

The system provides comprehensive API access control and resource protection by verifying bearer tokens and authorization headers. It employs a repository-pattern for data persistence and provides interfaces to decouple authorization entities from specific database backends.

Integration is achieved through standardized request and response interfaces that connect the authorization server logic to web frameworks.

## Tags

### Security & Cryptography

- [OAuth 2.0 Authorization Servers](https://awesome-repositories.com/f/security-cryptography/oauth-2-0-authorization-servers.md) — Implements a full OAuth 2.0 authorization server for managing client registrations and issuing access tokens.
- [Request Token Validators](https://awesome-repositories.com/f/security-cryptography/access-control/panel-access-controls/token-access-restrictions/request-token-validators.md) — Validates tokens on every incoming request to enforce access control and identify users. ([source](https://oauth2.thephpleague.com/resource-server/securing-your-api/))
- [OAuth Token Refreshes](https://awesome-repositories.com/f/security-cryptography/account-management/account-synchronization/credential-refreshers/oauth-token-refreshes.md) — Controls the creation and validity period of refresh tokens to enable long-lived user sessions. ([source](https://oauth2.thephpleague.com/refresh-token-repository-interface/))
- [API Access Control](https://awesome-repositories.com/f/security-cryptography/api-access-control.md) — Ensures only authorized users and clients can access specific API endpoints by verifying bearer tokens.
- [Signed JWT Generation](https://awesome-repositories.com/f/security-cryptography/asymmetric-signing/signed-jwt-generation.md) — Generates compact signed JSON Web Tokens using private keys for secure distribution.
- [Authentication Frameworks](https://awesome-repositories.com/f/security-cryptography/authentication-frameworks.md) — Provides a secure framework for managing user identities and client authorizations in PHP environments.
- [Authorization Code Exchanges](https://awesome-repositories.com/f/security-cryptography/authorization-code-exchanges.md) — Verifies authorization codes and client credentials to issue signed access and encrypted refresh tokens. ([source](https://oauth2.thephpleague.com/authorization-server/auth-code-grant/))
- [Authorization Code Issuances](https://awesome-repositories.com/f/security-cryptography/authorization-code-issuances.md) — Validates client requests and user approvals to create temporary codes exchangeable for tokens. ([source](https://oauth2.thephpleague.com/authorization-server/auth-code-grant/))
- [OAuth Client Secret Validators](https://awesome-repositories.com/f/security-cryptography/encrypted-secret-management/secret-validations/api-credential-validations/oauth-client-secret-validators.md) — Verifies OAuth client secrets at the token endpoint to authenticate requesting applications. ([source](https://oauth2.thephpleague.com/client-repository-interface/))
- [Grant Type Validations](https://awesome-repositories.com/f/security-cryptography/grant-type-validations.md) — Validates client and user credentials across various grant flows to ensure secure API access. ([source](https://oauth2.thephpleague.com/user-repository-interface/))
- [User Identity Verification](https://awesome-repositories.com/f/security-cryptography/identity-authentication/user-identity-verification.md) — Verifies user credentials against a data store to authorize specific grant requests. ([source](https://oauth2.thephpleague.com/user-repository-interface/))
- [Token Lifecycle Management](https://awesome-repositories.com/f/security-cryptography/identity-token-services/token-lifecycle-management.md) — Implements a complete system for issuing, revoking, and tracking the expiration of access tokens. ([source](https://oauth2.thephpleague.com/access-token-repository-interface/))
- [OAuth Grant Type Handlers](https://awesome-repositories.com/f/security-cryptography/oauth-grant-type-handlers.md) — Routes authorization requests through specific grant handlers to validate credentials and issue tokens.
- [Refresh Token Grants](https://awesome-repositories.com/f/security-cryptography/oidc-identity-token-issuance/refresh-token-grants.md) — Implements the grant flow to exchange a valid refresh token for a new access token. ([source](https://oauth2.thephpleague.com/authorization-server/refresh-token-grant/))
- [Token Signing Services](https://awesome-repositories.com/f/security-cryptography/oidc-identity-token-issuance/token-signing-services.md) — Signs and encrypts digital tokens using asymmetric keys to verify authenticity across distributed services.
- [Token Signing Operations](https://awesome-repositories.com/f/security-cryptography/token-authentication/token-signature-verification/token-signing-operations.md) — Implements cryptographic signatures on tokens using private keys to ensure authenticity and integrity across services. ([source](https://oauth2.thephpleague.com/installation/))
- [Authorization Code Management](https://awesome-repositories.com/f/security-cryptography/token-based-authorization/authorization-code-management.md) — Manages the lifecycle of short-lived authorization codes used to exchange for access tokens. ([source](https://oauth2.thephpleague.com/auth-code-repository-interface/))
- [OAuth Scope Management](https://awesome-repositories.com/f/security-cryptography/access-token-management/offline-access-tokens/oauth-scope-management.md) — Sets default and final permission scopes for clients using refresh tokens to control access levels. ([source](https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md))
- [Refresh Token Rotation](https://awesome-repositories.com/f/security-cryptography/account-management/account-synchronization/credential-refreshers/oauth-token-refreshes/refresh-token-rotation.md) — Implements refresh token rotation by issuing new tokens and revoking old ones during each refresh cycle. ([source](https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md))
- [Device Authentication Flows](https://awesome-repositories.com/f/security-cryptography/device-authentication-flows.md) — Implements the OAuth 2.0 device authorization grant for hardware with limited input capabilities.
- [API and Machine Authentication](https://awesome-repositories.com/f/security-cryptography/identity-access-management/authentication-strategies/machine-and-protocol-identity/api-machine-authentication.md) — Implements non-interactive authentication flows for automated service-to-service communication. ([source](https://oauth2.thephpleague.com/authorization-server/client-credentials-grant/))
- [PKCE Authorization Flows](https://awesome-repositories.com/f/security-cryptography/oauth-2-0-authorization-flows/pkce-authorization-flows.md) — Enforces Proof Key for Code Exchange to prevent authorization code interception for public clients. ([source](https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md))
- [Scope Validations](https://awesome-repositories.com/f/security-cryptography/oauth-authentication-apis/multi-provider-credential-stores/client-secret-and-scope-management/scope-validations.md) — Verifies if requested OAuth scopes are legitimate and modifies them based on user permissions. ([source](https://oauth2.thephpleague.com/scope-repository-interface/))
- [Public Clients](https://awesome-repositories.com/f/security-cryptography/oauth2-client-management/public-clients.md) — Permits non-confidential public clients to use authorization grants without requiring client secrets. ([source](https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md))
- [JWT Token Validators](https://awesome-repositories.com/f/security-cryptography/security/policies/token-validation/bearer-token-validators/jwt-token-validators.md) — Verifies JWT authenticity and expiration including configurable time drift leeway for unsynchronized clocks. ([source](https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md))
- [Single Sign-On](https://awesome-repositories.com/f/security-cryptography/single-sign-on.md) — Provides a unified authentication system using signed tokens to maintain sessions across multiple services.
- [Symmetric Encryption](https://awesome-repositories.com/f/security-cryptography/symmetric-encryption.md) — Employs symmetric encryption to protect authorization codes and refresh tokens from tampering.
- [Authorization Code Encryption](https://awesome-repositories.com/f/security-cryptography/symmetric-encryption/authorization-code-encryption.md) — Protects sensitive authorization codes using symmetric encryption to prevent tampering and data exposure. ([source](https://oauth2.thephpleague.com/installation/))
- [Device Grant Implementations](https://awesome-repositories.com/f/security-cryptography/token-based-authorization/token-operator-authorizations/request-authorizations/device-authorization-redirects/cross-device-authorizations/device-grant-implementations.md) — Provides a device authorization grant for hardware that cannot host a web browser for login. ([source](https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md))

### Data & Databases

- [Authorization Store Backends](https://awesome-repositories.com/f/data-databases/persistent-storage-backends/relational-storage-backends/authorization-store-backends.md) — Provides the necessary data interfaces and backends for persisting clients, users, and tokens. ([source](https://oauth2.thephpleague.com/terminology/))
- [Repository Patterns](https://awesome-repositories.com/f/data-databases/backend-data-access-layers/repository-patterns.md) — Uses the repository pattern to decouple domain logic from specific database implementations.
- [Entity Interfaces](https://awesome-repositories.com/f/data-databases/entity-modeling/entity-interfaces.md) — Defines strict contracts for authorization entities to maintain consistent data structures across various storage backends.

### Development Tools & Productivity

- [OAuth2-Secured REST APIs](https://awesome-repositories.com/f/development-tools-productivity/rest-api-integrations/oauth2-secured-rest-apis.md) — Implements a security layer to protect REST API endpoints using OAuth2 token authentication. ([source](https://oauth2.thephpleague.com/user-repository-interface/))

### Networking & Communication

- [Redirect URI Attestations](https://awesome-repositories.com/f/networking-communication/uri-handlers/redirect-uri-attestations.md) — Verifies redirect URIs against established standards to prevent open redirect vulnerabilities. ([source](https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md))

### Web Development

- [Third-Party Platform Authorizations](https://awesome-repositories.com/f/web-development/third-party-integrations/third-party-platform-authorizations.md) — Enables external applications to securely access user data via standardized authorization codes and redirects.
