Can I use league/oauth2-client to replace Laravel Passport for third-party OAuth (e.g., Google, GitHub) in my Laravel app?

Yes, but it’s designed as a complement rather than a replacement. Passport handles Laravel-native auth (e.g., API tokens), while league/oauth2-client excels at integrating external OAuth providers. Use it alongside Passport for hybrid workflows, like authenticating users via Google while storing tokens in your database.

How do I store OAuth tokens securely in Laravel—session, database, or cache? Will Redis work?

You can store tokens in sessions, databases, or Laravel’s cache (Redis/Memcached). For scalability, cache is recommended with `Cache::remember()` or `Cache::put()`. Ensure your cache driver is configured in Laravel’s `.env` and use encryption for sensitive secrets if storing in the database.

What’s the best way to handle token refreshes in production to avoid race conditions?

Use Laravel Queues to offload token refreshes asynchronously. Wrap the refresh logic in a job (e.g., `RefreshOAuthToken`) and dispatch it when tokens expire. Implement a mutex or database lock to prevent concurrent refreshes. For critical apps, consider a retry mechanism with exponential backoff.

Does league/oauth2-client support Laravel’s middleware for route protection (e.g., OAuthGuard)?

Yes, you can create custom middleware to validate OAuth tokens before granting access. For example, inject the OAuth client into middleware and verify tokens on each request. Combine it with Laravel’s `auth:api` middleware for layered security. Pre-built providers include built-in token validation methods.

How do I test OAuth flows in Laravel, especially mocking provider responses?

Use Laravel’s HTTP tests with mock responses for OAuth providers. For example, override the provider’s `fetchAccessToken()` method in tests to return mock tokens. Libraries like `mockery` or Laravel’s `Http::fake()` can simulate API responses. Test both success and failure scenarios (e.g., expired tokens, invalid codes).

Will league/oauth2-client work with Laravel 10+ and PHP 8.1+? Are there breaking changes?

The package is fully compatible with Laravel 10+ and PHP 8.1+. It follows semantic versioning, so minor updates include Laravel/PHP compatibility fixes. Always test after running `composer update` to catch edge cases, especially if using custom providers or advanced features like PKCE.

How do I integrate league/oauth2-client with Laravel Sanctum for hybrid auth (e.g., web + OAuth)?

Use league/oauth2-client to authenticate users via OAuth (e.g., Google) and then generate Sanctum tokens for API access. Store the Sanctum token in the user’s session or database after OAuth login. This lets users access your API via Sanctum while leveraging OAuth for third-party logins.

What are the risks of using PKCE in Laravel, and how do I enable it for SPAs?

PKCE (Proof Key for Code Exchange) adds security for public clients (e.g., SPAs) by preventing code interception. Enable it via the provider’s constructor (e.g., `new GoogleUser([...], ['usePKCE' => true])`). Ensure your Laravel app has OpenSSL or phpseclib installed, as PKCE requires cryptographic operations.

How do I log OAuth events (e.g., token refreshes, failures) in Laravel?

Extend the OAuth client to emit custom events (e.g., `OAuthTokenRefreshed`, `OAuthError`). Use Laravel’s event system to log these via `event(new OAuthTokenRefreshed($token))`. For failures, catch exceptions and log them with Laravel’s `Log::error()` or a dedicated logger like Monolog.

Are there alternatives to league/oauth2-client for Laravel, and when should I choose them?

Alternatives include `lucadegasperi/oauth2-server-laravel` (for OAuth2 server-side) or `spatie/laravel-oauth-client` (a Laravel-specific wrapper). Choose league/oauth2-client for flexibility with third-party providers, while spatie’s package offers tighter Laravel integration. Use `lucadegasperi` if you need to build an OAuth2 server in Laravel.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Oauth2 Client Laravel Package

league/oauth2-client

OAuth 2.0 client library for PHP. Provides a solid base for implementing “Sign in with …” flows and RFC 6749-compliant integrations, with a GenericProvider for bearer-token services and an extensible architecture for custom providers.

View on GitHub

Deep Wiki

Context7

league/oauth2-client is a flexible PHP library for implementing the OAuth 2.0 Authorization Framework (RFC 6749) in your application—powering common “Sign in with Google/Facebook/etc.” flows without forcing you to manage low-level protocol details.

It works with any standards-compliant provider and includes a GenericProvider for bearer-token services, while remaining easy to extend for provider-specific behavior via official and community provider packages.

Implements core OAuth 2.0 authorization code flows
GenericProvider for quick integration with custom providers
Built-in handling for Bearer tokens (RFC 6750)
Extensible architecture for provider-specific features
Strong ecosystem of official and third‑party providers

Frequently asked questions about Oauth2 Client

Can I use league/oauth2-client to replace Laravel Passport for third-party OAuth (e.g., Google, GitHub) in my Laravel app?: Yes, but it’s designed as a complement rather than a replacement. Passport handles Laravel-native auth (e.g., API tokens), while league/oauth2-client excels at integrating external OAuth providers. Use it alongside Passport for hybrid workflows, like authenticating users via Google while storing tokens in your database.
How do I store OAuth tokens securely in Laravel—session, database, or cache? Will Redis work?: You can store tokens in sessions, databases, or Laravel’s cache (Redis/Memcached). For scalability, cache is recommended with `Cache::remember()` or `Cache::put()`. Ensure your cache driver is configured in Laravel’s `.env` and use encryption for sensitive secrets if storing in the database.
What’s the best way to handle token refreshes in production to avoid race conditions?: Use Laravel Queues to offload token refreshes asynchronously. Wrap the refresh logic in a job (e.g., `RefreshOAuthToken`) and dispatch it when tokens expire. Implement a mutex or database lock to prevent concurrent refreshes. For critical apps, consider a retry mechanism with exponential backoff.
Does league/oauth2-client support Laravel’s middleware for route protection (e.g., OAuthGuard)?: Yes, you can create custom middleware to validate OAuth tokens before granting access. For example, inject the OAuth client into middleware and verify tokens on each request. Combine it with Laravel’s `auth:api` middleware for layered security. Pre-built providers include built-in token validation methods.
How do I test OAuth flows in Laravel, especially mocking provider responses?: Use Laravel’s HTTP tests with mock responses for OAuth providers. For example, override the provider’s `fetchAccessToken()` method in tests to return mock tokens. Libraries like `mockery` or Laravel’s `Http::fake()` can simulate API responses. Test both success and failure scenarios (e.g., expired tokens, invalid codes).
Will league/oauth2-client work with Laravel 10+ and PHP 8.1+? Are there breaking changes?: The package is fully compatible with Laravel 10+ and PHP 8.1+. It follows semantic versioning, so minor updates include Laravel/PHP compatibility fixes. Always test after running `composer update` to catch edge cases, especially if using custom providers or advanced features like PKCE.
How do I integrate league/oauth2-client with Laravel Sanctum for hybrid auth (e.g., web + OAuth)?: Use league/oauth2-client to authenticate users via OAuth (e.g., Google) and then generate Sanctum tokens for API access. Store the Sanctum token in the user’s session or database after OAuth login. This lets users access your API via Sanctum while leveraging OAuth for third-party logins.
What are the risks of using PKCE in Laravel, and how do I enable it for SPAs?: PKCE (Proof Key for Code Exchange) adds security for public clients (e.g., SPAs) by preventing code interception. Enable it via the provider’s constructor (e.g., `new GoogleUser([...], ['usePKCE' => true])`). Ensure your Laravel app has OpenSSL or phpseclib installed, as PKCE requires cryptographic operations.
How do I log OAuth events (e.g., token refreshes, failures) in Laravel?: Extend the OAuth client to emit custom events (e.g., `OAuthTokenRefreshed`, `OAuthError`). Use Laravel’s event system to log these via `event(new OAuthTokenRefreshed($token))`. For failures, catch exceptions and log them with Laravel’s `Log::error()` or a dedicated logger like Monolog.
Are there alternatives to league/oauth2-client for Laravel, and when should I choose them?: Alternatives include `lucadegasperi/oauth2-server-laravel` (for OAuth2 server-side) or `spatie/laravel-oauth-client` (a Laravel-specific wrapper). Choose league/oauth2-client for flexibility with third-party providers, while spatie’s package offers tighter Laravel integration. Use `lucadegasperi` if you need to build an OAuth2 server in Laravel.

View on GitHub

Stars

3,799

Favorites

3,874

Forks

770

Score

76.5

License

MIT

Last release

Nov 25, 2025

Watchers

125

Downloads

3M/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport