OIDC provider
Signed RS256 id_tokens, a discovery document, JWKS, userinfo, RP-initiated and
back-channel logout, RFC 7662 introspection, and RFC 7009 revocation — the full
protocol surface of an identity provider.
OIDC provider
Signed RS256 id_tokens, a discovery document, JWKS, userinfo, RP-initiated and
back-channel logout, RFC 7662 introspection, and RFC 7009 revocation — the full
protocol surface of an identity provider.
RFC 9068 + RFC 8693
Structured at+jwt access tokens, and optional token exchange so a client can trade a
token for a narrowly-scoped one aimed at a downstream resource server.
Auth engine
A complete set of package-owned flows — login, registration, password reset, email verification, password confirmation, and multi-factor (TOTP, recovery codes, passkeys) — that your app fills with its own views and actions.
Adaptive login
A post-login pipeline with a single decision hook (requireMfa / deny / add claims) and
acr / amr emission on the id_token.
^8.4laravel/passport ^13.4 — the OAuth2 core the package builds on