← All projects

php

PHP 8.3 library implementing the aice-auth contract: ES256 JWT verification, JWKS handling and typed verification exceptions.

  • PHP 100%
View on GitLab ↗
git@gitlab.com:aice-lab/auth/php.git

Latest release

v1.0.1 ·

README

aice-auth — PHP

PHP 8.3+ implementation of the aice-auth contract. Verifies access and ID tokens issued by an aice-auth issuer; suitable for relying-party authentication in any PHP application or framework.

This release covers offline JWT verification (ES256 via JWKS, strict claim validation). Refresh-rotation, OIDC discovery, session management, and license-token verification land in subsequent releases.

Status

  • Contract: aice-auth/spec
  • Stable. v1.0.0 covers offline JWT verification (ES256 via JWKS, strict claim validation). Refresh-rotation, OIDC discovery, session management, and license-token verification land in subsequent releases.

Install

composer require aice-lab/auth

The Composer package name is aice-lab/auth. The repository path is gitlab.com/aice-lab/auth/php — not the same string. The package’s PHP namespace is AiceLab\Auth\.

Requires PHP 8.3 or newer and the openssl extension. Laravel integrators: see docs/integrating-with-laravel.md for the recommended service-container + config wiring.

Quickstart

use AiceLab\Auth\Jwks;
use AiceLab\Auth\JwtVerifier;
use AiceLab\Auth\VerifyOptions;

$jwksDoc = file_get_contents('https://id.example.com/.well-known/jwks.json');
$jwks = Jwks::fromJson($jwksDoc);

$claims = (new JwtVerifier())->verify(
    $token,
    $jwks,
    new VerifyOptions(
        issuer:   'https://id.example.com',
        audience: 'example-app',
    ),
);

// $claims is the parsed payload as an associative array.
// Throws an AiceLab\Auth\Exception\JwtVerificationException subclass on failure.

The verifier rejects alg=none and any algorithm other than ES256, requires kid in the header, looks it up in the supplied JWKS, verifies the ECDSA P-256 signature, and validates iss, aud, exp, and nbf strictly. See ARCHITECTURE.md for failure modes and exception classes.

Development

composer install
composer test                     # phpunit
composer analyse                  # phpstan
composer lint                     # php-cs-fixer
vendor/bin/phpunit --coverage-text

Coverage floor: 90% lines on src/ (security-sensitive area).

License

Source: FSL-1.1-Apache-2.0 (see LICENSE and LICENSE.FAQ.md). Runtime use beyond development/non-commercial/OSS scopes additionally requires a license token; see the licensing concept guide.

Documentation

Full contract and concept docs: https://auth.aice-lab.org

Contributing

See CONTRIBUTING.md. All commits require DCO sign-off (git commit -s).

Reporting security issues

See SECURITY.md. Do not open public issues for vulnerabilities.

This is a snapshot generated from GitLab. For the live README, see the project page.