Skip to content

Configuration

Publish the config with php artisan vendor:publish --tag=oidc-config. Every key is listed below with its default and the environment variable that overrides it.

Key Default Description
issuer env('OIDC_ISSUER') Issuer URL. Falls back to app.url when null. All endpoint URLs advertised in discovery are derived from this origin.
private_key env('OIDC_PRIVATE_KEY') RS256 private signing key as a PEM string (\n-escaped single lines are fine). See Key rotation.
public_key env('OIDC_PUBLIC_KEY') The matching public key, published in JWKS.
token_lifetimes.access_token 900 (OIDC_ACCESS_TOKEN_TTL) Interactive (authorization_code) and refreshed access-token lifetime in seconds.
token_lifetimes.id_token 3600 (OIDC_ID_TOKEN_TTL) id_token lifetime in seconds.
token_lifetimes.client_credentials 3600 (OIDC_M2M_ACCESS_TOKEN_TTL) Machine-to-machine (client_credentials) access-token lifetime. These tokens have no refresh and no session.
session.absolute_lifetime 2592000 (OIDC_SESSION_ABSOLUTE_LIFETIME) Absolute cap on an interactive session, from login (30 days). Refresh is denied past this; the user must re-authenticate. Drives context.expires_at, the refresh deny-check, and context pruning.
Key Default Description
api_guard env('OIDC_API_GUARD', 'api') The guard the userinfo endpoint authenticates against.
claims_supported standard set Claims advertised in the discovery document.
logout_redirect / Fallback redirect after logout.
handlers full map Every HTTP endpoint the package registers, keyed by route name. See Route handlers.
Key Default Description
token_exchange.enabled true (OIDC_TOKEN_EXCHANGE_ENABLED) Enables the RFC 8693 token-exchange grant.
key_size 2048 (OIDC_KEY_SIZE) RSA key size oidc:rotate-keys generates.
additional_public_keys [OIDC_PREVIOUS_PUBLIC_KEY] Extra PEM public keys published in JWKS; defaults to the previous signing key during rotation — see Key rotation.

Used by the two-token browser-fetch model — see Browser-fetch.

Key Default Description
first_party.client_id env('OIDC_FIRST_PARTY_CLIENT') The confidential client id used to mint the session root token and perform exchanges on its behalf.
first_party.trusted false (OIDC_FIRST_PARTY_TRUSTED) Whether the first-party client is auto-consented.
trusted_clients [] Additional client ids that skip the consent screen.
login_route login (OIDC_LOGIN_ROUTE) Route name unauthenticated users are redirected to.
session_token.ttl 3600 (OIDC_SESSION_TOKEN_TTL) Root token lifetime in seconds.
session_token.session_key oidc.session_token Session key the root token is stored under.
session_token.refresh_skew 60 Seconds before expiry at which the token is re-minted instead of reused.
session_token.scopes null Scopes granted to the root token. null grants every non-hidden scope.
Key Default Description
auth.guard identity (OIDC_AUTH_GUARD) The session guard the auth engine authenticates against. Registered automatically if absent.
auth.provider users (OIDC_AUTH_PROVIDER) The user provider backing the guard.
auth.home /dashboard (OIDC_AUTH_HOME) Where to send a user after a successful login/registration.
auth.username email (OIDC_AUTH_USERNAME) The credential field used to log in.
auth.two_factor.challenge_providers ['totp'] Factor keys offered at the challenge step.
auth.two_factor.secret_length 16 TOTP secret length.
auth.two_factor.window 1 TOTP validation window.
auth.two_factor.recovery_codes 8 Number of recovery codes generated.
auth.factors TOTP, recovery, WebAuthn providers The registered FactorProvider classes.
  • The api guard uses the passport driver (the OAuth2 token guard).
  • The interactive authorization and logout flows run through the identity guard the package registers (oidc.auth.guard).
  • Signing keys are RS256 — see Key rotation. Token headers carry a kid derived from the RFC 7638 thumbprint, matched by the JWKS endpoint.