Google Auth Library for PHP

Overview

Google Auth Library for PHP

Homepage
http://www.github.com/google/google-auth-library-php
Reference Docs
https://googleapis.github.io/google-auth-library-php/master/
Authors
Tim Emiola
Stanley Cheung
Brent Shaffer
Copyright
Copyright © 2015 Google, Inc.
License
Apache 2.0

Description

This is Google's officially supported PHP client library for using OAuth 2.0 authorization and authentication with Google APIs.

Installing via Composer

The recommended way to install the google auth library is through Composer.

# Install Composer
curl -sS https://getcomposer.org/installer | php

Next, run the Composer command to install the latest stable version:

composer.phar require google/auth

Application Default Credentials

This library provides an implementation of application default credentials for PHP.

The Application Default Credentials provide a simple way to get authorization credentials for use in calling Google APIs.

They are best suited for cases when the call needs to have the same identity and authorization level for the application independent of the user. This is the recommended approach to authorize calls to Cloud APIs, particularly when you're building an application that uses Google Compute Engine.

Download your Service Account Credentials JSON file

To use Application Default Credentials, You first need to download a set of JSON credentials for your project. Go to APIs & Services > Credentials in the Google Developers Console and select Service account from the Add credentials dropdown.

This file is your only copy of these credentials. It should never be committed with your source code, and should be stored securely.

Once downloaded, store the path to this file in the GOOGLE_APPLICATION_CREDENTIALS environment variable.

putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');

PHP's putenv function is just one way to set an environment variable. Consider using .htaccess or apache configuration files as well.

Enable the API you want to use

Before making your API call, you must be sure the API you're calling has been enabled. Go to APIs & Auth > APIs in the Google Developers Console and enable the APIs you'd like to call. For the example below, you must enable the Drive API.

Call the APIs

As long as you update the environment variable below to point to your JSON credentials file, the following code should output a list of your Drive files.

use Google\Auth\ApplicationDefaultCredentials;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;

// specify the path to your application credentials
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');

// define the scopes for your API call
$scopes = ['https://www.googleapis.com/auth/drive.readonly'];

// create middleware
$middleware = ApplicationDefaultCredentials::getMiddleware($scopes);
$stack = HandlerStack::create();
$stack->push($middleware);

// create the HTTP client
$client = new Client([
  'handler' => $stack,
  'base_uri' => 'https://www.googleapis.com',
  'auth' => 'google_auth'  // authorize all requests
]);

// make the request
$response = $client->get('drive/v2/files');

// show the result!
print_r((string) $response->getBody());
Guzzle 5 Compatibility

If you are using Guzzle 5, replace the create middleware and create the HTTP Client steps with the following:

// create the HTTP client
$client = new Client([
  'base_url' => 'https://www.googleapis.com',
  'auth' => 'google_auth'  // authorize all requests
]);

// create subscriber
$subscriber = ApplicationDefaultCredentials::getSubscriber($scopes);
$client->getEmitter()->attach($subscriber);

Call using an ID Token

If your application is running behind Cloud Run, or using Cloud Identity-Aware Proxy (IAP), you will need to fetch an ID token to access your application. For this, use the static method getIdTokenMiddleware on ApplicationDefaultCredentials.

use Google\Auth\ApplicationDefaultCredentials;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;

// specify the path to your application credentials
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');

// Provide the ID token audience. This can be a Client ID associated with an IAP application,
// Or the URL associated with a CloudRun App
//    $targetAudience = 'IAP_CLIENT_ID.apps.googleusercontent.com';
//    $targetAudience = 'https://service-1234-uc.a.run.app';
$targetAudience = 'YOUR_ID_TOKEN_AUDIENCE';

// create middleware
$middleware = ApplicationDefaultCredentials::getIdTokenMiddleware($targetAudience);
$stack = HandlerStack::create();
$stack->push($middleware);

// create the HTTP client
$client = new Client([
  'handler' => $stack,
  'auth' => 'google_auth',
  // Cloud Run, IAP, or custom resource URL
  'base_uri' => 'https://YOUR_PROTECTED_RESOURCE',
]);

// make the request
$response = $client->get('/');

// show the result!
print_r((string) $response->getBody());

For invoking Cloud Run services, your service account will need the Cloud Run Invoker IAM permission.

For invoking Cloud Identity-Aware Proxy, you will need to pass the Client ID used when you set up your protected resource as the target audience. See how to secure your IAP app with signed headers.

Call using a specific JSON key

If you want to use a specific JSON key instead of using GOOGLE_APPLICATION_CREDENTIALS environment variable, you can do this:

use Google\Auth\CredentialsLoader;
use Google\Auth\Middleware\AuthTokenMiddleware;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;

// Define the Google Application Credentials array
$jsonKey = ['key' => 'value'];

// define the scopes for your API call
$scopes = ['https://www.googleapis.com/auth/drive.readonly'];

// Load credentials
$creds = CredentialsLoader::makeCredentials($scopes, $jsonKey);

// optional caching
// $creds = new FetchAuthTokenCache($creds, $cacheConfig, $cache);

// create middleware
$middleware = new AuthTokenMiddleware($creds);
$stack = HandlerStack::create();
$stack->push($middleware);

// create the HTTP client
$client = new Client([
  'handler' => $stack,
  'base_uri' => 'https://www.googleapis.com',
  'auth' => 'google_auth'  // authorize all requests
]);

// make the request
$response = $client->get('drive/v2/files');

// show the result!
print_r((string) $response->getBody());

Verifying JWTs

If you are using Google ID tokens to authenticate users, use the Google\Auth\AccessToken class to verify the ID token:

use Google\Auth\AccessToken;

$auth = new AccessToken();
$auth->verify($idToken);

If your app is running behind Google Identity-Aware Proxy (IAP), you can verify the ID token coming from the IAP server by pointing to the appropriate certificate URL for IAP. This is because IAP signs the ID tokens with a different key than the Google Identity service:

use Google\Auth\AccessToken;

$auth = new AccessToken();
$auth->verify($idToken, [
  'certsLocation' => AccessToken::IAP_CERT_URL
]);

License

This library is licensed under Apache 2.0. Full license text is available in COPYING.

Contributing

See CONTRIBUTING.

Support

Please report bugs at the project on Github. Don't hesitate to ask questions about the client or APIs on StackOverflow.

Comments
  • Importing keyfile on heroku

    Importing keyfile on heroku

    Iam deploying an app to heroku, and am using the google cloud storage bucket. All works well on my local pc, but when I deploy the app to heroku, and set the config vars, it doesnt work. I've seen that the auth client expects an absolute file path to the keyfile that contains the credentials. For platforms such as heroku, it seems abit of a challenge, since I can't commit add the keyfile to git How do I get around this?

    triage me :rotating_light: 
    opened by leantony 21
  • Library incompatible with psr/cache ^3.0

    Library incompatible with psr/cache ^3.0

    Hello,

    I'm running a project (Phpfastcache#v9) that requires psr/cache ^3.0, which conflict with your constraints: ^1.0|^2.0

    So actually I cannot make use of any Google product at all because of this very "central" constraint.

    Do you plan to make it compatible with psr/cache ^3.0 ?

    It's basically the same interface as previous but with PHP-8 type hint.

    This should not break compatibility at all to support it since psr/cache ^3.0 already constraints on php ^8.0 and the interface remains the same.

    Thanks.

    Environment details

    • OS: Win 10 x64
    • PHP version: 8.0
    • Package name and version: latest
    opened by Geolim4 17
  • Implement IAP/JWT client

    Implement IAP/JWT client

    Please implement the functionality required to connect to IAP protected services like in the Python Auth Client: https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/make_iap_request.py

    triage me :rotating_light: 
    opened by nohn 15
  • feat: Add support for Guzzle 7.x

    feat: Add support for Guzzle 7.x

    Greetings 👋

    Update 2020-06-27: Guzzle 7.0 has been released

    Guzzle 7 is only in beta at the moment, but due to its popularity/once it's released I assume that many developers will want to use it, perhaps already today. This PR aims to make google/auth ready for that and is a prerequisite to making similar changes to google/cloud(-core) and google/api-client.

    Changes

    • Updated composer.json
    • ~Extracted a version helper into a dedicated method in HttpHandlerFactory::getGuzzleVersion() and replaced usages~ (Reverted after review)
    • ~Updated test matrix to test all supported Guzzle Versions (5.x is covered by --prefer-lowest, 6.x by the new environment, 7.x by default)~ (The tests have moved to GitHub Actions since)
    • Updated the check itself: ~According to https://github.com/guzzle/guzzle/blob/7.0.0-beta.1/UPGRADING.md#other-backwards-compatibility-breaking-changes , the ClientInterface::VERSION constant has been removed - that means that we can safely assume that a missing constant means that we're on 7.x~ Guzzle 7 has introduced ClientInterface::MAJOR_VERSION that can be used for version checks.
    • Changed the HTTP client option exceptions to http_errors for tests with Guzzle >=6.0 (support for exceptions has been removed in Guzzle 7)

    :octocat:

    cla: yes 
    opened by jeromegamez 13
  • Refactor CacheTrait to enable expiration tracking

    Refactor CacheTrait to enable expiration tracking

    This PR makes changes to the CacheTrait trait in order to add the ability to enable per-item expiration dates, and updates the FetchAuthTokenCache class in order to specify the auth token expiry when caching.

    At the time of this pull request, there is a > 4 year old TODO in the FetchAuthTokenCache class:

    https://github.com/googleapis/google-auth-library-php/blob/077d6ae98d550161d3b2a0ba283bdce785c74d85/src/FetchAuthTokenCache.php#L81-L84

    Unfortunately this means that code using this library is subject to a potential error condition in which the auth token is cached for longer than it is valid. While the library does set a maximum lifetime of 1500 seconds (25 minutes) for tokens, it is possible for a Google metadata server to return an access token that expires within that lifetime; any API calls made using this token during that time frame will fail with a 403 Permission Denied error.

    From experience this bug has lead to more than one brief outage of a service that utilizes the cached tokens, and the goal of this PR is to eliminate the issue.

    Note to maintainers:

    • It may be helpful to go through the PR one commit at a time.
    • I am under the impression that you strive to maintain a compatible public API, I consider the CacheTrait internal to the library and felt comfortable making breaking changes here, let me know if this is not the case.
    • I'm fairly certain tests in tests/Subscriber will fail, I did not include updates to them as I wanted to get feedback on the general idea of the PR first.
    • I've removed a decent number tests that I consider redudant - the AuthTokenMiddlewareTest, for example, includes tests that depend on the cache although the AuthTokenMiddleware class itself doesn't care whether or not it is using a caching FetchAuthTokenInterface. If there are any you disagree with, I'm happy to discuss and re-include them.

    Thanks!

    cla: yes 
    opened by ericnorris 12
  • add support for guzzle 6

    add support for guzzle 6

    Notable changes:

    • Organized classes under new namespaces (ex. Google\Auth\GCECredentials is now found under the Google\Auth\Credentials\GCECredentials namespace
    • Renamed 'getFetcher' to 'getSubscriber'
    use Google\Auth\ApplicationDefaultCredentials;
    
    ApplicationDefaultCredentials::getFetcher() // no-mo
    ApplicationDefaultCredentials::getSubscriber() // +1
    
    • Added guzzle 6 middleware implementations
    use Google\Auth\ApplicationDefaultCredentials;
    use GuzzleHttp\Client;
    use GuzzleHttp\HandlerStack;
    
    $middleware = ApplicationDefaultCredentials::getMiddleware(
        'https://www.googleapis.com/auth/taskqueue'
    );
    $stack = HandlerStack::create();
    $stack->push($middleware);
    
    $client = new Client([
        'handler' => $stack,
        'base_uri' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/',
        'auth' => 'google_auth' // authorize all requests
    ]);
    
    $res = $client->get('myproject/taskqueues/myqueue');
    
    • Support for guzzle 5/6 as the default transport layer - however you can now also define a custom layer as follows:
    use Google\Auth\Credentials\GCECredentials;
    use GuzzleHttp\Psr7\Response;
    use Psr\Http\Message\RequestInterface;
    
    $isOnGCE = GCECredentials::onGce(function (RequestInterface $request, $options = []) {
        // define your own http implementation which returns a PSR7 response
        return Response(200);
    });
    

    The code is functional but please keep in mind there are still a few @todos which need to be addressed.

    cla: yes 
    opened by dwsupplee 12
  • feat: add ImpersonatedServiceAccountCredentials

    feat: add ImpersonatedServiceAccountCredentials

    In order to add support for IAM Blob Signing via API request in google-cloud-php-iam-credentials, there needs to be a way to extend the different types of credential loaders that are supported by this lower level library. Support cannot be added here directly due to the introduction of a circular dependancy.

    This change will allow higher level libraries to "register" custom Credentials Loader Factory Method objects and have them considered when processing application_default_credentials.json (impersonated_service_account as an example).

    opened by PsyonixMonroe 11
  • verifyIdToken not giving payload for valid id_token

    verifyIdToken not giving payload for valid id_token

    Hi,

    I was using Google Auth library to get data. I was trying to verify Id Token but not giving payload return

    I was using like this $payload = $oauth2->verifyIdToken();

    It is giving me error Key may not be emptySome Error Occured!!!

    Can you please see why it is like this?

    Thanks,

    type: bug priority: p2 :rotating_light: 
    opened by chiragvels 11
  • FetchAuthTokenCache returning expired tokens

    FetchAuthTokenCache returning expired tokens

    I am the owner of the Cloud Spanner PHP client library investigating the following customer issue:

    The customer uses PHP Spanner client lib and they deploy their application on GKE.

    • Workload Identity keeps a token for 59min in the metadata server and retrieves a new one every 60min.
    • PHP Spanner client lib keeps a token for 1500sec (25min). When the token expires, client lib retrieves a new access token from the metadata server.
    • The problem is that PHP Spanner client lib keeps a token for 1500sec even when GKE metadata server refreshes new token and previous token expires.
    • Finally Spanner client lib uses the expired token and error for a while.

    I believe this issue is caused by the tokens remaining in the cache after the they expire on the backend because the cache expiry uses the cache config lifetime. The cache expiry should use the token expiry as hinted at in the following fetchAuthToken TODO:

            // TODO: correct caching; update the call to setCachedValue to set the expiry
            // to the value returned with the auth token.
    

    Implementing the TODO should resolve this issue.

    type: bug priority: p1 :rotating_light: 
    opened by larkee 10
  • Add support for Workload Identity on the GKE

    Add support for Workload Identity on the GKE

    Is your feature request related to a problem? Please describe. When running an application on the GKE I would like to be able to get credentials for a workload identity. The class GCECredentials already implements a great deal, however it only gets the credentials for the default service account. For workload identities, I would like to specify the google service account (GSA) the credentials are fetched for.

    Describe the solution you'd like By refactoring the GCECredentials it is fairly easy to pass the service account name as parameter in the constructor. Or maybe adding a separate class like GKEWorkloadIdentityCredentials that inherits from GCECredentials would make sense.

    triage me :rotating_light: 
    opened by mruoss 10
  • Cache item expiration correctly calculated when DST shifts

    Cache item expiration correctly calculated when DST shifts

    Hello,

    During the latest DST shift we had in Europe on 28th October we experienced problems with our long-running processes failing to authenticate with GCP PubSub.

    I think it was caused by a comparison that does not take the DST into account.

    I split this PR into 2 commits - the failing test that demonstrates the problem we encountered and the fix.

    Since manipulating time in PHP using built-in DateTime classes is not possible, I introduced a clock abstraction. I don't like the singleton design of it but it seemed like the simplest way to solve the problem while also keeping BC.

    cla: yes 
    opened by gedimin45 10
  • User Refresh Credentials Authentication flow with Access Token Only

    User Refresh Credentials Authentication flow with Access Token Only

    Current Issue

    On Google-Ads-PHP, a feature request was raised where someone using a microservice architecture would like a way to manage retrieval of access tokens themselves (shared between simultaneously running instances) instead of providing a refresh token and having this library obtain the access token. That library wraps around the classes exposed from this library, and while it has UserRefreshCredentials which allows authorisation with client id/secret & refresh token, it doesn't allow supplying an access token (although from a theory basis, supplying a valid access token should be sufficient to perform a request)

    Suggested Solution

    I am happy to submit a PR here (and then a further PR in Google-Ads-PHP making use of the new code) to solve the problem if the maintainers feel it has merit. In terms of how the solution should be authored I am happy to accept guidance, but my suggestion would be a new class which:

    • Extends UserRefreshCredentials
    • Is constructed with access_token and expires_at, optionally with client_id, client_secret, refresh_token
      • If passed, code is implemented to allow token refresh
    • Has a getAccessToken method to get a refreshed token (if one is possible to obtain)

    Open Questions

    • Is there a better way to implement support for the reporters use case?
    • Should there be any special handling for when an access token has expired but the expires_at hasn't passed (e.g. the wrong expires_at was passed in)?
    • When expires_at has passed and no refresh_token exists, what should fetchAuthToken do?
      • Throw an exception (if so what)?

    Thanks, Robert

    opened by DeveloperRob 0
  • Google Ads Api Oauth Catchable Exception

    Google Ads Api Oauth Catchable Exception

            try {
                // Generate a refreshable OAuth2 credential for authentication.
                $oAuth2Credential = (new OAuth2TokenBuilder())
                    ->withClientId(env('GOOGLE_ADS_CLIENT_ID'))
                    ->withClientSecret(env('GOOGLE_ADS_CLIENT_SECRET'))
                    ->withRefreshToken($refreshToken)
                    ->build();
            } catch (\Throwable $e) {
                return $this->job->fail();
            }
    
            try {
                // Construct a Google Ads client configured from a properties file and the
                // OAuth2 credentials above.
                $googleAdsClient = (new GoogleAdsClientBuilder())
                    ->withOAuth2Credential($oAuth2Credential)
                    ->withDeveloperToken(env('GOOGLE_ADS_DEVELOPER_TOKEN'))
                    ->withLoginCustomerId($customerID)
                    ->withTransport('rest')
                    ->build();
            } catch (\Throwable $e) {
                return $this->job->fail();
            }
    

    So i have the code above which is using the google auth library to create the oauth credential, however some of our clients have expired refresh tokens: This spits out:

    Message
    Client error: POST https://oauth2.googleapis.com/token resulted in a 400 Bad Request response:
    {
     "error": "invalid_grant",
     "error_description": "Token has been expired or revoked."
    }
    Level
    ERROR
    Exception
    {
        "class": "GuzzleHttp\\Exception\\ClientException",
        "message": "Client error: `POST https://oauth2.googleapis.com/token` resulted in a `400 Bad Request` response:\n{\n  \"error\": \"invalid_grant\",\n  \"error_description\": \"Token has been expired or revoked.\"\n}\n",
        "code": 400,
        "file": "/usr/local/bigtop/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113",
        "trace": [
            "/usr/local/bigtop/vendor/guzzlehttp/guzzle/src/Middleware.php:69",
            "/usr/local/bigtop/vendor/guzzlehttp/promises/src/Promise.php:204",
            "/usr/local/bigtop/vendor/guzzlehttp/promises/src/Promise.php:153",
            "/usr/local/bigtop/vendor/guzzlehttp/promises/src/TaskQueue.php:48",
            "/usr/local/bigtop/vendor/guzzlehttp/promises/src/Promise.php:248",
            "/usr/local/bigtop/vendor/guzzlehttp/promises/src/Promise.php:224",
            "/usr/local/bigtop/vendor/guzzlehttp/promises/src/Promise.php:269",
            "/usr/local/bigtop/vendor/guzzlehttp/promises/src/Promise.php:226",
            "/usr/local/bigtop/vendor/guzzlehttp/promises/src/Promise.php:62",
            "/usr/local/bigtop/vendor/guzzlehttp/guzzle/src/Client.php:123",
            "/usr/local/bigtop/vendor/google/auth/src/HttpHandler/Guzzle6HttpHandler.php:47",
            "/usr/local/bigtop/vendor/google/auth/src/OAuth2.php:544",
            "/usr/local/bigtop/vendor/google/auth/src/Credentials/UserRefreshCredentials.php:114",
            "/usr/local/bigtop/vendor/google/auth/src/CredentialsLoader.php:214",
            "/usr/local/bigtop/vendor/google/gax/src/CredentialsWrapper.php:208",
            "/usr/local/bigtop/vendor/google/gax/src/Transport/HttpUnaryTransportTrait.php:111",
            "/usr/local/bigtop/vendor/google/gax/src/Transport/RestTransport.php:110",
            "/usr/local/bigtop/vendor/google/gax/src/GapicClientTrait.php:608",
            "/usr/local/bigtop/vendor/google/gax/src/Middleware/CredentialsWrapperMiddleware.php:61",
            "/usr/local/bigtop/vendor/google/gax/src/Middleware/FixedH
    

    Is there a good way to be able to catch that since it's being caught inside the libraries and i'm not seeing a way to properly handle that exception.

    type: question needs more info 
    opened by necrogami 3
  • Support for Application Default Credentials with impersonated_service_account

    Support for Application Default Credentials with impersonated_service_account

    Is your feature request related to a problem? Please describe.

    I'm a bit unsure if this is a bug report, or a feature request.

    In any case, for local testing of application code, we would like to impersonate the Service Account used for running the application on GCP.

    It works when retrieving the ADC JSON with a user's own set of credentials, but not after adding --impersonate-service-account and then providing the application the JSON in either a well known location or via GOOGLE_APPLICATION_CREDENTIALS.

    This results in "type": "impersonated_service_account":

    $ gcloud --impersonate-service-account <service account> auth application-default login
    

    Describe the solution you'd like

    Applications using this library should be able to authenticate with the impersonated Service Account.

    Describe alternatives you've considered

    Currently, local testing just uses the user's own credentials. Which may or may not have the same privileges as the Service Account.

    Additional context

    • This library is in use via a GCS adapter in our case.
    • I found a similar issue in the Golang oauth2 package, which led me to think that maybe this isn't just supported.
    • Impersonation is mentioned in passing for V2.0
    type: feature request 
    opened by quulah 1
  • Implement Retryable interface for token endpoint requests

    Implement Retryable interface for token endpoint requests

    Currently, clients do not have a good way to distinguish retryable errors and implement custom retry strategies. Sometimes this causes infinite retries like here: https://github.com/nwbirnie/gapic-oauth-invalid-hangs. Please prioritize the fix if similar infinite retry is repro here as well.

    More details in the doc: go/auth-correct-retry

    type: feature request 
    opened by TimurSadykov 1
  • ServiceAccountSignerTrait's signBlob signature and usage issue with

    ServiceAccountSignerTrait's signBlob signature and usage issue with "forceOpenssl"

    Hi everyone,

    While debugging an OpenSSL issue, I stumbled upon a piece of code that will never be executed:

    if (class_exists('\\phpseclib\\Crypt\\RSA') && !$forceOpenssl) {
    

    It looks like that (at least) the Google Storage client passes an array with forceOpenssl as the key. Hence, the check !$forceOpenssl will always evaluate to false and phpseclib will never be used as the preferred option, even though it's present.

    I have not checked other usage of the signBlob method to see which parameters are passed. A quick workaround would be adding something like this before the if statement on L40:

    if (is_array($forceOpenssl)) {
        $forceOpenssl = array_key_exists('forceOpenssl', $forceOpenssl) ? $forceOpenssl['forceOpenssl'] : false;
    }
    

    What do you think?

    Cheers.

    type: question 
    opened by chdeliens 0
Releases(v1.24.0)
  • v1.24.0(Nov 28, 2022)

  • v1.23.1(Oct 26, 2022)

  • v1.23.0(Sep 27, 2022)

  • v1.22.0(Sep 1, 2022)

    Features

    • CredentialsLoader::updateMetadata now supports id_token (#405)

    Bug Fixes

    • remove catching non-existent class (#407)
    • add eager refresh (#411)
    Source code(tar.gz)
    Source code(zip)
  • v1.21.1(Jun 13, 2022)

  • v1.21.0(Apr 13, 2022)

    Features

    1. Support for Firebase v6.0 (https://github.com/googleapis/google-auth-library-php/pull/391)

    IMPORTANT This release will break backwards compatibility in some cases. If you are using OAuth2::verifyIdToken and passing multiple algorithms as the second argument, this will now throw an exception:

    // No problem here, only 1 algorithm is being used
    $oauth->verifyIdToken($publicKeys, ['RS256']);
    
    // This was accepted before, but it will now throw an InvalidArgumentException
    $oauth->verifyIdToken($publicKeys, ['RS256', 'HS256']);
    

    This is because we are closing a security vulnerability (see CVE-2021-46743 and https://github.com/advisories/GHSA-8xf4-w7qw-pjjw), and there is no way to close it without throwing an exception in this case. The recommended way to do this is now to pass an array of Firebase\JWT\Key as $publicKeys:

    // create an array of Firebase\JWT\Key. For example:
    use Firebase\JWT\Key;
    $keys = [
        new Key($publicKeys[0], 'RS256'),
        new Key($publicKeys[1], 'HS256'),
    ];
    $oauth->verifyIdToken($keys);
    
    Source code(tar.gz)
    Source code(zip)
  • v1.20.1(Apr 13, 2022)

  • v1.20.0(Apr 11, 2022)

    Dropping Support

    • PHP 5.6 and 7.0 are no longer supported

    Features

    • add support for psr/cache:3 (#364)
    • add Google\Auth\Cache\TypedItem (for psr/cache:3) (#364)

    Bug Fixes

    • throw audience mismatch when audience doesn't exist (#370)
    Source code(tar.gz)
    Source code(zip)
  • v1.19.0(Mar 24, 2022)

  • v1.18.0(Aug 24, 2021)

  • v1.17.0(Aug 18, 2021)

    1.17.0 (08/18/2021)

    • [fix]: consistently use useSelfSignedJwt method in ServiceAccountJwtAccessCredentials (#351)
    • [feat]: add loading and executing of default client cert source (#353)
    • [feat]: add support for proxy-authorization header (#347)
    Source code(tar.gz)
    Source code(zip)
  • v1.16.0(Jun 22, 2021)

  • v1.15.2(Jun 22, 2021)

  • v1.15.1(Apr 21, 2021)

  • v1.15.0(Feb 5, 2021)

  • v1.14.3(Oct 16, 2020)

  • v1.14.2(Oct 14, 2020)

  • v1.14.1(Oct 6, 2020)

  • v1.14.0(Oct 2, 2020)

  • v1.13.0(Sep 18, 2020)

  • v1.12.0(Sep 8, 2020)

    v1.12.0 (09/08/2020)

    • [feat]: Add QuotaProject option to getMiddleware (#296)
    • [feat]: Add caching for calls to GCECredentials::onGce (#301)
    • [feat]: Add updateMetadata function to token cache (#298)
    • [fix]: Use quota_project_id instead of quota_project (#299)
    Source code(tar.gz)
    Source code(zip)
  • v1.11.1(Jul 27, 2020)

  • v1.11.0(Jul 22, 2020)

  • v1.10.0(Jul 8, 2020)

    1.10.0 (7/8/2020)

    • [feat]: Add support for Guzzle 7 (#256)
    • [fix]: Remove SDK warning (#283)
    • [chore]: Switch to github pages deploy action (#284)
    Source code(tar.gz)
    Source code(zip)
  • v1.9.0(May 18, 2020)

    1.9.0 (5/14/2020)

    • [feat] Add quotaProject param for extensible client options support (#277)
    • [feat] Add signingKeyId param for jwt signing (#270)
    • [docs] Misc documentation improvements (#268, #278, #273)
    • [chore] Switch from Travis to Github Actions (#273)
    Source code(tar.gz)
    Source code(zip)
  • v1.8.0(Mar 26, 2020)

    1.8.0 (3/26/2020)

    • [feat] Add option to throw exception in AccessToken::verify(). (#265)
    • [feat] Add support for x-goog-user-project. (#254)
    • [feat] Add option to specify issuer in AccessToken::verify(). (#267)
    • [feat] Add getProjectId to credentials types where project IDs can be determined. (#230)
    Source code(tar.gz)
    Source code(zip)
  • v1.7.1(Feb 12, 2020)

  • v1.7.0(Feb 11, 2020)

    1.7.0 (02/11/2020)

    • [feat] Add ID token to auth token methods. (#248)
    • [feat] Add support for ES256 in AccessToken::verify. (#255)
    • [fix] Let namespace match the file structure. (#258)
    • [fix] Construct RuntimeException. (#257)
    • [tests] Update tests for PHP 7.4 compatibility. (#253)
    • [chore] Add a couple more things to .gitattributes. (#252)
    Source code(tar.gz)
    Source code(zip)
  • v1.6.1(Oct 29, 2019)

  • v1.6.0(Oct 1, 2019)

    1.6.0 (10/01/2019)

    • [feat] Add utility for verifying and revoking access tokens. (#243)
    • [docs] Fix README console terminology. (#242)
    • [feat] Support custom scopes with GCECredentials. (#239)
    • [fix] Fix phpseclib existence check. (#237)
    Source code(tar.gz)
    Source code(zip)
Owner
Google APIs
Clients for Google APIs and tools that help produce them.
Google APIs
CakeDC Auth Objects is a refactor of the existing Auth objects present in the CakeDC Users Plugin, to let anyone else use them in their projects.

CakeDC Auth Objects is a refactor of the existing Auth objects present in the CakeDC Users Plugin, to let anyone else use them in their projects.

Cake Development Corporation 24 Sep 23, 2022
Google Auth Library for PHP

This is Google's officially supported PHP client library for using OAuth 2.0 authorization and authentication with Google APIs.

Google APIs 1.2k Jan 4, 2023
Slim Auth is an authorization and authentication library for the Slim Framework.

Slim Auth is an authorization and authentication library for the Slim Framework. Authentication is provided by the Zend Framework Zend\Authentication component, and authorization by the Zend Framework Zend\Permissions\Acl component.

Jeremy Kendall 246 Dec 16, 2022
Simple JWT Auth support for Laravel PHP Framework

Laravel JWT Simple JWT Auth for Laravel PHP Framework using Firebase JWT under the hood. Installation Standard Composer package installation: composer

Ricardo Čerljenko 34 Nov 21, 2022
Simple PASETO Auth support for Laravel PHP Framework

Laravel PASETO Simple PASETO Auth for Laravel PHP Framework using paragonie/paseto under the hood. Installation Standard Composer package installation

Ricardo Čerljenko 9 Jan 11, 2022
A PHP boilerplate based on Slim Framework, for start projects with Eloquent ORM, Validation, Auth (JWT), Repositories and Transformers ready

A PHP boilerplate based on Slim Framework, for start projects with Eloquent ORM, Validation, Auth (JWT), Repositories and Transformers ready.

Damiano Petrungaro 58 Aug 10, 2022
Auth is a module for the Yii PHP framework that provides a web user interface for Yii's built-in authorization manager

Auth is a module for the Yii PHP framework that provides a web user interface for Yii's built-in authorization manager (CAuthManager). You can read more about Yii's authorization manager in the framework documentation under Authentication and Authorization.

Christoffer Niska 134 Oct 22, 2022
Set up Laravel Auth guards using Eloquent in seconds

Nightguard Set up Auth guards using Eloquent in seconds. Introduction Laravel guards provide a super convenient way of authorizing different areas of

Luke Downing 10 Mar 18, 2021
Laravel starter kit with Livewire & Bootstrap 5 auth scaffolding.

Laravel Livewire Auth Laravel starter kit with Livewire & Bootstrap 5 auth scaffolding. Requirements NPM Installation Create a new Laravel app: larave

null 8 Sep 11, 2021
Sliding captcha for dcat-admin auth / dcat-admin登陆 滑动验证插件 多平台支持

dcat-admin登陆 滑动验证插件 多平台支持 dcat-admin登陆 滑动验证插件 多平台支持 另有 laravel-admin版 Demo演示 演示站点(暂时无,目前地址为laravel-admin版的演示地址) 支持(按照字母顺序) 顶象 ✔️ 极验 ✔️ hCaptcha(和谷歌Rec

塵世不再 38 Dec 17, 2022
HTTP Basic Auth Guard for Lumen 5.x

HTTP Basic Auth Guard HTTP Basic Auth Guard is a Lumen Package that lets you use basic as your driver for the authentication guard in your application

Christopher Lass 40 Nov 11, 2022
JWT auth for Laravel and Lumen

JWT Artisan Token auth for Laravel and Lumen web artisans JWT is a great solution for authenticating API requests between various services. This packa

⑅ Generation Tux ⑅ 141 Dec 21, 2022
Laravel Auth guard for FusionAuth JWT

Laravel FusionAuth JWT Implement an Auth guard for FusionAuth JWTs in Laravel. It ships with also a middleware to check against the user role. Install

Theraloss 7 Feb 21, 2022
Files Course Laravel Micro Auth and Authorization

About Laravel Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experie

EspecializaTi 8 Oct 22, 2022
Light-weight role-based permissions system for Laravel 6+ built in Auth system.

Kodeine/Laravel-ACL Laravel ACL adds role based permissions to built in Auth System of Laravel 8.0+. ACL middleware protects routes and even crud cont

Kodeine 781 Dec 15, 2022
Configurable Basic Auth based on Pimcore Documents

CORS Property Basic Auth This bundles allows to add basic auth based on Properties on Pimcore Documents. Simply use these properties password_enabled

CORS GmbH 1 Nov 12, 2021
Laravel Auth is a Complete Build of Laravel 8 with Email Registration Verification, Social Authentication, User Roles and Permissions, User Profiles, and Admin restricted user management system.

Laravel Auth is a Complete Build of Laravel 8 with Email Registration Verification, Social Authentication, User Roles and Permissions, User Profiles, and Admin restricted user management system. Built on Bootstrap 4.

Jeremy Kenedy 2.8k Dec 31, 2022
Laravel auth-boilerplate using sanctum

About Laravel Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experie

Jigar Bhaliya 3 Mar 2, 2022
Stateless HTTP basic auth for Laravel without the need for a database.

Laravel Very Basic Auth Documentation available in: ???? English ???? 日本語 This package allows you to add a HTTP Basic Auth filter on your routes, with

Marcus Olsson 141 Dec 31, 2022