How do I install stevenmaguire/oauth2-keycloak in a Laravel project?

Run `composer require stevenmaguire/oauth2-keycloak` in your project directory. The package extends the PHP League’s OAuth2 client, so no additional Laravel-specific dependencies are required beyond the base package.

Which Laravel versions does this package support?

The package is compatible with Laravel 8.x and 9.x, as it relies on the PHP League’s OAuth2 client, which has no Laravel-specific version constraints. Ensure your PHP version (8.0+) aligns with Keycloak’s requirements.

Can I use this package for client credentials flow (e.g., API-to-API auth)?

Yes, the package supports all OAuth2 flows, including client credentials. Configure the provider with your client ID, secret, and realm, then use `$provider->getAccessToken('client_credentials')` to fetch tokens for service-to-service communication.

How do I handle Keycloak’s custom claims (e.g., groups, roles) in Laravel?

After fetching the user profile with `$provider->getResourceOwner()`, manually map Keycloak claims (e.g., `groups` or `resource_access`) to your Laravel user model. Use Laravel’s `User` model observers or accessors to store and retrieve these claims dynamically.

Does this package support PKCE for public clients (e.g., SPAs)?

Yes, the package leverages the underlying league/oauth2-client, which includes PKCE support. Enable it by omitting the `clientSecret` in your provider configuration, forcing the use of PKCE for enhanced security.

How do I integrate this with Laravel’s authentication system (e.g., guards)?

Extend Laravel’s auth guards by creating a custom `KeycloakGuard` that uses the provider to validate tokens. Bind it in `config/auth.php` under `guards` and handle user retrieval in a `UserProvider` implementation.

What if Keycloak is down? Can I fallback to local auth?

The package itself doesn’t include fallback logic, but you can wrap provider calls in try-catch blocks and redirect users to Laravel’s default auth (e.g., `auth()->guard('web')->attempt()`) if Keycloak requests fail.

Are there performance concerns with token introspection or validation?

Token validation can be rate-limited by Keycloak. Cache introspection results in Redis or your preferred cache driver using Laravel’s cache facade to reduce calls. Avoid validating tokens on every request if possible.

How do I configure Keycloak’s encryption (e.g., RS256) for token signing?

Pass the `encryptionAlgorithm` (e.g., `'RS256'`) and `encryptionKeyPath` (path to your public key) or `encryptionKey` (key contents) to the provider constructor. This ensures tokens are validated against Keycloak’s public key.

What alternatives exist for Keycloak OAuth2 in Laravel, and why choose this package?

Alternatives include `socialiteproviders/keycloak` (for Socialite integration) or rolling your own with `league/oauth2-client`. This package offers Keycloak-specific optimizations (e.g., realm handling, token parsing) and tighter Laravel integration without Socialite’s overhead.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Oauth2 Keycloak Laravel Package

stevenmaguire/oauth2-keycloak

Laravel-friendly OAuth2 client provider for Keycloak using theleague/oauth2-client. Handles Keycloak authorization, token retrieval/refresh, and user profile fetching so your app can authenticate via Keycloak with minimal setup.

View on GitHub

Deep Wiki

Context7

Keycloak Provider for OAuth 2.0 Client

Frequently asked questions about Oauth2 Keycloak

How do I install stevenmaguire/oauth2-keycloak in a Laravel project?: Run `composer require stevenmaguire/oauth2-keycloak` in your project directory. The package extends the PHP League’s OAuth2 client, so no additional Laravel-specific dependencies are required beyond the base package.
Which Laravel versions does this package support?: The package is compatible with Laravel 8.x and 9.x, as it relies on the PHP League’s OAuth2 client, which has no Laravel-specific version constraints. Ensure your PHP version (8.0+) aligns with Keycloak’s requirements.
Can I use this package for client credentials flow (e.g., API-to-API auth)?: Yes, the package supports all OAuth2 flows, including client credentials. Configure the provider with your client ID, secret, and realm, then use `$provider->getAccessToken('client_credentials')` to fetch tokens for service-to-service communication.
How do I handle Keycloak’s custom claims (e.g., groups, roles) in Laravel?: After fetching the user profile with `$provider->getResourceOwner()`, manually map Keycloak claims (e.g., `groups` or `resource_access`) to your Laravel user model. Use Laravel’s `User` model observers or accessors to store and retrieve these claims dynamically.
Does this package support PKCE for public clients (e.g., SPAs)?: Yes, the package leverages the underlying league/oauth2-client, which includes PKCE support. Enable it by omitting the `clientSecret` in your provider configuration, forcing the use of PKCE for enhanced security.
How do I integrate this with Laravel’s authentication system (e.g., guards)?: Extend Laravel’s auth guards by creating a custom `KeycloakGuard` that uses the provider to validate tokens. Bind it in `config/auth.php` under `guards` and handle user retrieval in a `UserProvider` implementation.
What if Keycloak is down? Can I fallback to local auth?: The package itself doesn’t include fallback logic, but you can wrap provider calls in try-catch blocks and redirect users to Laravel’s default auth (e.g., `auth()->guard('web')->attempt()`) if Keycloak requests fail.
Are there performance concerns with token introspection or validation?: Token validation can be rate-limited by Keycloak. Cache introspection results in Redis or your preferred cache driver using Laravel’s cache facade to reduce calls. Avoid validating tokens on every request if possible.
How do I configure Keycloak’s encryption (e.g., RS256) for token signing?: Pass the `encryptionAlgorithm` (e.g., `'RS256'`) and `encryptionKeyPath` (path to your public key) or `encryptionKey` (key contents) to the provider constructor. This ensures tokens are validated against Keycloak’s public key.
What alternatives exist for Keycloak OAuth2 in Laravel, and why choose this package?: Alternatives include `socialiteproviders/keycloak` (for Socialite integration) or rolling your own with `league/oauth2-client`. This package offers Keycloak-specific optimizations (e.g., realm handling, token parsing) and tighter Laravel integration without Socialite’s overhead.

Popularity trends

Recorded values over time (once-a-day snapshots). May 8, 2026 – Jun 6, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

227

Favorites

230

Forks

160

Score

36.7

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 227

+1.1
Forks

input: 160

+4.8
Open issues + PRs

input: 36

+3.6
Releases

input: 16

+4.8
Recency

input: 67

+16.3
Issue opportunity

input: 29

+5.7
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 36.4

Opportunity

59.1

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

72.6
Contribution need

open_issues + open_prs: 36

43.6
Health factor

archived + recency + open issues

×0.94

Total 58.9

License

MIT

Last release

Mar 30, 2026

Watchers

Downloads

182K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope

anil/file-picker

broqit/fields-ai