oauth2-server | A spec compliant , secure by default PHP OAuth 2.0 Server | OAuth library

 by   thephpleague PHP Version: 8.5.1 License: MIT

kandi X-RAY | oauth2-server Summary

kandi X-RAY | oauth2-server Summary

oauth2-server is a PHP library typically used in Security, OAuth applications. oauth2-server has no bugs, it has no vulnerabilities, it has a Permissive License and it has medium support. You can download it from GitHub.

A spec compliant, secure by default PHP OAuth 2.0 Server

            kandi-support Support

              oauth2-server has a medium active ecosystem.
              It has 6304 star(s) with 1120 fork(s). There are 220 watchers for this library.
              There were 4 major release(s) in the last 12 months.
              There are 59 open issues and 632 have been closed. On average issues are closed in 69 days. There are 26 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of oauth2-server is 8.5.1

            kandi-Quality Quality

              oauth2-server has 0 bugs and 0 code smells.

            kandi-Security Security

              oauth2-server has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              oauth2-server code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              oauth2-server is licensed under the MIT License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              oauth2-server releases are available to install and integrate.
              Installation instructions are not available. Examples and code snippets are available.
              oauth2-server saves you 877 person hours of effort in developing the same functionality from scratch.
              It has 2157 lines of code, 245 functions and 52 files.
              It has medium code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi has reviewed oauth2-server and discovered the below as its top functions. This is intended to give you an instant insight into oauth2-server implemented functionality, and help decide if they suit your requirements.
            • Respond to an access token request .
            • Validate the authorization header .
            • Issue an auth code .
            • Validate the old refresh token .
            • Validate the user .
            • Generate HTTP response .
            • Get scope entity by identifier .
            • Enable a grant type .
            • Encrypt data .
            • Validate a key .
            Get all kandi verified functions for this library.

            oauth2-server Key Features

            No Key Features are available at this moment for oauth2-server.

            oauth2-server Examples and Code Snippets

            Tries to create a public key from OAuth2 server .
            javadot img1Lines of Code : 18dot img1License : Permissive (MIT License)
            copy iconCopy
            private boolean tryCreateSignatureVerifier() {
                    long t = System.currentTimeMillis();
                    if (t - lastKeyFetchTimestamp < oAuth2Properties.getSignatureVerification().getPublicKeyRefreshRateLimit()) {
                        return false;
            Attempts to decode the OAuth2 token .
            javadot img2Lines of Code : 16dot img2License : Permissive (MIT License)
            copy iconCopy
                protected Map decode(String token) {
                    try {
                        //check if our public key and thus SignatureVerifier have expired
                        long ttl = oAuth2Properties.getSignatureVerification().getTtl();
                        if (ttl > 0 &am  

            Community Discussions


            Laravel passport library environment variable problem on Cloud Run
            Asked 2022-Mar-22 at 09:46

            I'm using the passport library on my laravel 8 project and I have a problem because I can't use the default command to generate my file php artisan passport:install because I'm on Cloud Run serverless and I have to use the environment variables.

            So I see this https://laravel.com/docs/9.x/passport#loading-keys-from-the-environment

            It works on my local environment when I send the variables through docker compose with APP_ENV=production declared but when I running on my production server in Cloud Run I have this error:



            Answered 2022-Mar-22 at 09:46

            After looking closer at your screenshot I think I see why the cert validation is failing.

            In CryptKey.php this line $this->isValidKey($keyPath, $this->passPhrase ?? '') is returning false because of the missing \n (new lines) in your keys, resulting in "Unable to read key from file -----BEGIN PRIVATE KEY-----...". Certificates need to be in a certain format, and that's currently not the case using those environment variables.

            If possible, change this invalid format in your secret:

            Source https://stackoverflow.com/questions/71531548


            laravel passport authorization code grant PKCE requires scope
            Asked 2022-Mar-15 at 20:21

            I am trying to implement authorization code grant with Laravel Passport and my SPA app. I stumbled upon following issue:

            To my knowledge scopes in OAuth are optional, I don't have to request one while asking for code. Even HERE it says that the scope is optional.

            So this is what happens:

            • I'm going from my SPA to this URL below


            Answered 2022-Mar-15 at 20:13

            In your URL there is scope=''& instead of scope=&.

            Try building the query parameters using http_build_query() as per docs.

            Source https://stackoverflow.com/questions/71487469


            is refresh the refresh token and refresh the access token pass the same parameter
            Asked 2022-Mar-06 at 06:32

            I read the docs from here https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/ that tell me, when we refresh the access token, we pass the grant_type and refresh_token parameter. how about refresh the refresh token? also pass the two parameter with refresh_token and grant_type? I did not found the refresh refresh token standard to show that how to refresh the refresh token. or we should not refresh the refresh token at all. Just let the user login again?



            Answered 2022-Mar-06 at 06:32

            Refresh tokens are typically longer-lived so one can use them to request new access tokens after the shorter-lived access tokens expire, but this bring one concern about the safety of refresh token as it give enough power to the holder to get a new access token to access the protected resouces anytime. The concern can be addressed to certain extent by rotating the refresh tokens. Refresh token rotation guarantees that every time an application exchanges a refresh token to get a new access token, a new refresh token is also returned. Therefore, you no longer have a long-lived refresh token that could provide illegitimate access to resources if it ever becomes compromised. The threat of illegitimate access is reduced as refresh tokens are continually exchanged and invalidated.

            Is refresh the refresh token and refresh the access token pass the same parameter?

            The outcome depends on the authorization server policies that whether it should return a same or new refresh token while refreshing a access token.

            Source https://stackoverflow.com/questions/71363042


            It was not possible to parse your key, Error in Laravel v6
            Asked 2021-Dec-20 at 07:45

            I'm using Laravel v6.2, passport v9.2. On local host its working perfect creating not even a single issue. When I deployed code on production server, it started created problem, it's giving error. I matched, php version is also same on production server. but error is only producing on production not local, while code and every thing is same on both. I searched and found that I should update passport but for this I also need to update laravel version, for some reason I don't want to update laravel.

            Can anyone help me how to solve this problem?




            Answered 2021-Dec-20 at 07:45

            I found my solution, in my case it was user permissions problem on production server. If someone of you is facing same issue, you may apply this solution or in your case can be different solution.

            Source https://stackoverflow.com/questions/70395459


            Composer/Symfony: dependency issues
            Asked 2021-May-24 at 14:48

            I'm currently working on an OroPlatform project, which is based on Symfony 4.4 and deployed on Platform.sh.

            I'm facing the following issue during the build phase of the deployment:

            • My app needs the package symfony/process 4.4.X
            • I don't know why, but on the Platform.sh server my app uses the symfony/process package installed for the composer binary installed globally, but this one is a 5.X version
            • So, I've got an error and I can't install my app because it uses the 5.X version instead of the 4.X
            • That's why I've found a workaround by using Composer 1.9.3 because it uses symfony/process 4.4.X, the same used by my app.

            It was working well, but yesterday I have to bump the composer version to latest 1.X due to the Github OAuth token changes: https://nono.ma/github-oauth-token-for-github-com-contains-invalid-characters-on-composer-install


            So, I'm still facing this issue with the 4.X version and the 5.X version.

            I've tried to install the dependencies of my project this way : composer install -n -o -a but the bug still occurs.

            I'm looking for a way to force my project to use the dependencies located in the vendor folder of my app and not the ones installed globally. Here is a screenshot of the issue on the Platform.sh server:

            And here is a schema of the path of my app and composer on a Platform.sh server:



            Answered 2021-May-23 at 17:17

            Try installing the package, so it will be added to your composer.json file.

            Source https://stackoverflow.com/questions/67657342


            How to resolve Laravel Composer Issue - Your requirements could not be resolved to an installable set of packages
            Asked 2021-May-01 at 09:13

            I am using the Windows Operation system to run PHP Laravel-8 Application. The PHP version for all the projects in my Windows Local System is PHP-Version3.8. All the Laravel Projects in my Local System has ("php": "^7.3|^8.0",)

            However, I did a pull request from a Team Project but it is PHP-Version4. The Project also uses Laravel-8 Framework ("php": "^7.4|^8.0",)

            When I tried to run composer install on the downloaded project, I got this error:



            Answered 2021-May-01 at 09:13

            Open your composer.json file and replace the version to:

            Source https://stackoverflow.com/questions/67344437


            Method Laravel\\Passport\\Bridge\\AccessToken::__toString() must not throw an exception
            Asked 2021-Apr-14 at 07:06

            I use these packages with these versions to create tokens for user login, but I encounter this error when creating tokens:




            Answered 2021-Apr-14 at 07:06

            You're probably on a PHP version prior to 7.4.

            Throwing exceptions in the __toString() method was allowed by this RFC which was accepted for PHP 7.4

            The laravel/passport package relies on lcobucci/jwt as well as the required league/oauth2-server also does.

            lcobucci/jwt has a minimum of PHP 7.4 dependency written which your composer install or composer update should have caught at some point unless you haven't installed them yourself or used composer with the --ignore-platform-reqs flag.

            Source https://stackoverflow.com/questions/67086544


            Failed login attempts via nginx/laravel API calls
            Asked 2021-Apr-04 at 19:37

            I was dealing with an issue where my API site was not accessible either by my iOS app or by a web client. I fixed the issue and can now visit the API site via web client, but now am unable to login to my app, although I periodically (about every half hour strangely) am able to for a short period of time. In the process of fixing the earlier issue, I messed around with my nginx sites-enabled file, and I think that might be what's causing this.

            Also when I paste the url path in a web client I get many errors from laravel, mostly involving code related to routing and HTTP.

            Is anyone able to identify what's going wrong?




            Answered 2021-Apr-04 at 19:37

            The API seems to be working consistently the day after, so I'm assuming that laravel and/or AWS has some sort of dynamic throttle whose threshold was lowered due to low traffic as a result of our prior API issue. Always better to have issues that fix themselves!

            Source https://stackoverflow.com/questions/66937760


            Laravel passport not loading private key properly
            Asked 2021-Mar-31 at 18:37

            I have installed Laravel passport, and it's working fine on my local machine.

            I don't want to have to run a passport command on the server so what I've done is tried to load the passport keys from the environment according to the docs: https://laravel.com/docs/8.x/passport#loading-keys-from-the-environment.

            I ran the publish command locally:



            Answered 2021-Mar-31 at 18:37

            The environment file was using ' rather than ". Changing this fixed the issue.

            Source https://stackoverflow.com/questions/66857172


            Spring OAuth redirect URL confusion
            Asked 2021-Jan-16 at 22:32

            Hi All I'm currently following this guide to building a auth service in Spring boot https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/

            I've modified it so when a user creates and account with a username and password it also returns a refresh_token.

            However, when I do an Auth flow with lets say facebook or google, I see the access token is appended in a redirect URL (see here github link)

            Now reading the OAuth doc this seems to make sense. However, how do I return the refresh token to the user as well. Is it safe to pass both access and refresh token in the URL?

            This is a side project that me and my mate are working on (he's doing the front end which he hasnt started yet :D) so I'm curious if its 1) ok to put both tokens in the URL and 2) should I be setting these as cookies httpOnly somehow for him.

            Sorry if this is a dumb question and thanks for reading



            Answered 2021-Jan-16 at 22:32

            You can return refresh token in the url as well. Other possible solution is to write both tokens in the response body as a JSON payload.

            Regarding your other question, you can safely store the refresh tokens in a HttpOnly cookie since it is the recommended way for persisting sensitive session-related data.

            Source https://stackoverflow.com/questions/65711080

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network


            No vulnerabilities reported

            Install oauth2-server

            You can download it from GitHub.
            PHP requires the Visual C runtime (CRT). The Microsoft Visual C++ Redistributable for Visual Studio 2019 is suitable for all these PHP versions, see visualstudio.microsoft.com. You MUST download the x86 CRT for PHP x86 builds and the x64 CRT for PHP x64 builds. The CRT installer supports the /quiet and /norestart command-line switches, so you can also script it.


            The library documentation can be found at https://oauth2.thephpleague.com. You can contribute to the documentation in the gh-pages branch.
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
          • HTTPS


          • CLI

            gh repo clone thephpleague/oauth2-server

          • sshUrl


          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular OAuth Libraries


            by sahat


            by microsoft


            by thephpleague


            by scribejava


            by laravel

            Try Top Libraries by thephpleague


            by thephpleaguePHP


            by thephpleaguePHP


            by thephpleaguePHP


            by thephpleaguePHP


            by thephpleaguePHP