Skip to content

Installation

  • PHP ^8.4
  • Laravel 11, 12, or 13
  • laravel/passport ^13.4 — the OAuth2 core the package builds on (installed as a dependency)
Terminal window
composer require bambamboole/laravel-oidc

The service provider is auto-discovered.

The package ships migrations that extend oauth_clients (post-logout redirect URIs, exchange audiences, provisioning key, back-channel logout) and add its own tables (authentication contexts, access-token contexts, TOTP factors, recovery codes, sessions, session participants). The publish tag also includes the laravel/passkeys migration.

Terminal window
php artisan vendor:publish --tag=oidc-migrations
php artisan migrate

Tokens are signed with RS256. Generate an env-based keypair — it keeps keys out of the filesystem and manages rotation for you (see Key rotation):

Terminal window
php artisan oidc:rotate-keys

This writes OIDC_PRIVATE_KEY and OIDC_PUBLIC_KEY to your .env (pass --print to emit them to stdout for a secrets manager instead).

Terminal window
php artisan vendor:publish --tag=oidc-config

This writes config/oidc.php. See Configuration for every key.

Set OIDC_ISSUER to the public origin of your provider (it falls back to app.url when unset). Every URL advertised in the discovery document is derived from this origin, not the incoming request’s host:

OIDC_ISSUER=https://id.example.com
  • If you only want the OIDC provider, register a consent view (see Endpoints & discovery) and you are ready to authorize clients.
  • If you want the auth engine too, bind your login/registration views and a create-user action — see Auth engine overview.