Laravel
The yorauth/laravel-sdk package wraps the YorAuth PHP SDK with a Laravel service provider, facade, middleware, OIDC controllers, and a webhook system. Supports Laravel 10, 11, and 12.
The Laravel SDK is currently in development. This documentation describes the intended API and developer experience. The package is not yet published to Packagist.
Key Features
- Auto-discovered service provider with config publishing
YorAuthfacade proxying all PHP SDK resources- OIDC Authorization Code + PKCE flow with auto-registered routes
- Multi-context OIDC for applications with multiple auth panels
- Webhook endpoint with signature verification and typed Laravel events
- Middleware for authentication and permission checks
- Artisan commands for connection testing and listener scaffolding
Installation
composer require yorauth/laravel-sdk
The service provider is auto-discovered. Publish the config file:
php artisan vendor:publish --tag=yorauth-config
Add the required environment variables:
YORAUTH_APPLICATION_ID=your-application-uuid
YORAUTH_API_KEY=ya_live_abc123...
YORAUTH_BASE_URL=https://api.yorauth.dev
Usage
Facade
use YorAuth\Laravel\Facades\YorAuth;
$login = YorAuth::auth()->login('jane@example.com', 'secret');
YorAuth::setToken($login['data']['access_token']);
Dependency Injection
use YorAuth\Sdk\YorAuth;
class UserController extends Controller
{
public function __construct(private YorAuth $yorauth) {}
public function show(string $userId)
{
return $this->yorauth->users()->getProfile($userId);
}
}
SDK Resources
The facade exposes all resources from the PHP SDK:
| Method | Resource | Description |
|---|---|---|
auth() | AuthResource | Registration, login (with CAPTCHA/remember-me options), logout, token refresh, password reset, email verification, magic links, MFA verification, CAPTCHA status |
users() | UserResource | Profile management, password change, account deletion, GDPR data export, consent withdrawal |
roles() | RoleResource | Role CRUD, user-role assignments, user permission lookups |
permissions() | PermissionsResource | Single and bulk permission checks |
sessions() | SessionResource | List, revoke individual or all sessions |
mfa() | MfaResource | TOTP setup/confirm/disable, backup codes, MFA status |
oidc() | OidcResource | OIDC client management, discovery, JWKS, authorize, token, client credentials, device authorization, logout URL |
passkeys() | PasskeyResource | WebAuthn/passkey authentication ceremonies and credential management |
saml() | SamlResource | SAML SSO initiation and connection listing |
userAttributes() | UserAttributeResource | User attribute get/set/delete for ABAC |
teams() | TeamResource | Team CRUD, member management, team role assignments |
webhooks() | WebhookResource | Webhook configuration and delivery history |
apiKeys() | ApiKeyResource | API key management |
auditLogs() | AuditLogResource | Audit log viewing with filters |
Authentication
Login with Options
The login() method accepts an optional third parameter for CAPTCHA tokens and remember-me:
$login = YorAuth::auth()->login($email, $password, [
'captcha_token' => $captchaResponse,
'remember_me' => true,
]);
CAPTCHA Status
Check whether CAPTCHA is enabled for your application:
$status = YorAuth::auth()->getCaptchaStatus();
// $status['data']['enabled'], $status['data']['provider'], $status['data']['site_key']
Passkeys (WebAuthn)
Passwordless authentication using platform authenticators and security keys.
// Authentication ceremony (public, no JWT required)
$options = YorAuth::passkeys()->authenticateOptions();
$result = YorAuth::passkeys()->authenticateVerify($credential);
// Credential registration (JWT required, user ownership)
$options = YorAuth::passkeys()->registerOptions($userId);
$result = YorAuth::passkeys()->registerVerify($userId, $credential);
// Credential management
$passkeys = YorAuth::passkeys()->list($userId);
YorAuth::passkeys()->update($userId, $credentialId, ['name' => 'My Laptop']);
YorAuth::passkeys()->delete($userId, $credentialId);
SAML SSO
Initiate enterprise SAML single sign-on flows.
$redirect = YorAuth::saml()->initiate([
'connection_id' => $connectionId,
'relay_state' => '/dashboard',
]);
$connections = YorAuth::saml()->getConnections();
User Attributes (ABAC)
Manage custom key-value attributes on users for Attribute-Based Access Control.
$attrs = YorAuth::userAttributes()->get($userId);
YorAuth::userAttributes()->set($userId, [
'department' => 'engineering',
'clearance_level' => 'secret',
]);
YorAuth::userAttributes()->delete($userId, 'clearance_level');
OIDC Grant Types
Client Credentials (RFC 6749 Section 4.4)
Service-to-service authentication without user context:
$tokens = YorAuth::oidc()->clientCredentialsToken($clientId, $clientSecret);
$tokens = YorAuth::oidc()->clientCredentialsToken($clientId, $clientSecret, 'scope1 scope2');
Device Authorization (RFC 8628)
For devices that cannot display a browser (TVs, CLIs, IoT):
// Step 1: Request device and user codes
$device = YorAuth::oidc()->deviceAuthorize([
'client_id' => $clientId,
'scope' => 'openid profile',
]);
// Display $device['user_code'] and $device['verification_uri'] to user
// Step 2: Poll for token (in a loop with $device['interval'] seconds between calls)
$tokens = YorAuth::oidc()->deviceCodeToken($device['device_code'], $clientId);
RP-Initiated Logout
Build a logout URL for ending the user's OIDC session:
$logoutUrl = YorAuth::oidc()->buildLogoutUrl($idTokenHint, '/logged-out');
return redirect()->away($logoutUrl);
GDPR Consent Withdrawal
Permanently delete a user's account and all associated data (irreversible):
YorAuth::users()->withdrawConsent($userId);
OIDC Routes
When YORAUTH_OIDC_CLIENT_ID is set, routes are auto-registered:
GET /auth/yorauth/redirect-- Redirects to YorAuth for loginGET /auth/yorauth/callback-- Handles the OIDC callbackPOST /auth/yorauth/logout-- Logs out and invalidates session
Multi-Context OIDC
For applications with multiple auth panels (e.g., customer + staff), define contexts in config/yorauth.php. Context routes are auto-registered as /auth/yorauth/{context}/redirect, /auth/yorauth/{context}/callback, and /auth/yorauth/{context}/logout.
Middleware
| Alias | Class | Description |
|---|---|---|
yorauth.authenticated | RequireAuthenticated | Verifies user is authenticated via YorAuth OIDC (401 on failure) |
yorauth.permission | RequirePermission | Checks YorAuth permissions (401/403 on failure) |
yorauth.verify-webhook | VerifyWebhookSignature | Verifies webhook payload signatures |
Webhooks
When YORAUTH_WEBHOOK_SECRET is set, the SDK auto-registers a POST endpoint at /yorauth/webhook (configurable) with signature verification.
Listener Classes
Create listeners with artisan and register them in config:
php artisan make:yorauth-listener SyncUsersListener
// config/yorauth.php
'webhook' => [
'secret' => env('YORAUTH_WEBHOOK_SECRET'),
'listeners' => [
\App\Listeners\YorAuth\SyncUsersListener::class,
],
],
Typed Laravel Events
The SDK dispatches typed events for all 23 webhook event types:
| Event | Class |
|---|---|
user.created | UserCreated |
user.login | UserLogin |
user.updated | UserUpdated |
user.deleted | UserDeleted |
role.assigned | RoleAssigned |
role.removed | RoleRemoved |
role.created | RoleCreated |
role.updated | RoleUpdated |
role.deleted | RoleDeleted |
permission.granted | PermissionGranted |
permission.revoked | PermissionRevoked |
connection.created | ConnectionCreated |
connection.refreshed | ConnectionRefreshed |
connection.failed | ConnectionFailed |
connection.revoked | ConnectionRevoked |
consent.granted | ConsentGranted |
mfa.enabled | MfaEnabled |
mfa.disabled | MfaDisabled |
policy.created | PolicyCreated |
policy.updated | PolicyUpdated |
policy.deleted | PolicyDeleted |
attribute.set | AttributeSet |
attribute.deleted | AttributeDeleted |
All event classes are in the YorAuth\Laravel\Events namespace and contain a WebhookPayload $payload property.
A generic YorAuthWebhookReceived event is also dispatched for every webhook, regardless of type.
Artisan Commands
php artisan yorauth:test-connection-- Verify API connectivity and configurationphp artisan make:yorauth-listener {name}-- Scaffold a webhook event listener class
Further Reading
- PHP SDK -- Standalone PHP SDK reference
- Installation -- Composer setup details
- Authentication -- Auth flow documentation
- Authorization -- Roles and permissions documentation