README

This repository is a read-only split of aetah/php-openid-toolkit.

• Development happens in the monorepo.
• Feature PRs and issues should be opened against aetah/php-openid-toolkit.
• This split repository is published from the monorepo and should not be treated as the source of truth.

OIDC Core

Generic PHP library for OpenID Connect Core 1.0 protocol processing primitives.

Scope

This package is designed as a reusable base for aetah/* libraries and CMS integrations. It provides:

• Authorization Request parsing and structural/protocol validation.
• ID Token compact JWT parsing and claim validation helpers.
• UserInfo response subject consistency validation.

The package intentionally leaves cryptographic JWS signature verification, key retrieval, discovery retrieval, and HTTP transport orchestration to host applications.

Install

composer require aetah/oidc-core

Quick Start

<?php

declare(strict_types=1);

use Aetah\OIDCCore\OIDCCore;

$oidc = new OIDCCore();

$request = $oidc->parseAuthorizationRequest($_GET);
$oidc->validateAuthorizationRequest($request);

$idToken = $oidc->parseIdTokenJwt($jwt);
$oidc->validateIdToken($idToken, ['https://op.example'], ['client-id'], $expectedNonce);

Spec

OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html

Spec Status

Missing/currently out of scope:

• Cryptographic JWS signature verification for ID Tokens and any associated key retrieval/trust validation.
• Discovery retrieval and dynamic metadata resolution needed to obtain issuer keys or endpoint configuration.
• HTTP transport and end-to-end protocol orchestration for authorization, token, UserInfo, and related runtime flows.
• Full coverage of optional and advanced Core features beyond the current authorization-request, ID-Token-claim, and UserInfo-subject validation helpers.

Quality Checks

Run Static Analysis

composer analyse

Run Tests

composer test

Run Benchmarks

composer bench

The benchmark suite in bench/ is intentionally separate from PHPUnit. It focuses on parser and validator hot paths with deterministic small, medium, and large fixtures so regressions can be tracked without turning CI timing noise into normal test failures.

Generated artifacts are written under build/:

• build/phpunit/ for JUnit reports
• build/coverage/ for coverage output
• build/phpbench/ for benchmark dumps and comparison logs

Clean Build Artifacts

composer clean

Benchmark Baseline

The benchmark CI job compares the current run against ci/phpbench-baseline.xml when that file is present.

• Refresh the baseline with:

./vendor/bin/phpbench run bench --bootstrap=bench/bootstrap.php --report=aggregate --dump-file=ci/phpbench-baseline.xml

• CI threshold variables:
  • PHPBENCH_TIME_REGRESSION_THRESHOLD defaults to 25
  • PHPBENCH_MEMORY_REGRESSION_THRESHOLD defaults to 20
  • PHPBENCH_ENFORCE_BASELINE=1 turns threshold overruns into job failures

Run Test Coverage

composer test:coverage

Run Style Checks

composer lint

Fix Style Checks

composer lint:fix

License

Licensed under AGPL-3.0-or-later. See LICENSE for details.