Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Library status #1041

Open
stephanvierkant opened this issue Nov 29, 2024 · 2 comments
Open

Library status #1041

stephanvierkant opened this issue Nov 29, 2024 · 2 comments

Comments

@stephanvierkant
Copy link

It's really unfortunate that the two most popular libraries in this area (https://packagist.org/?query=oauth2%20client) appear to no longer be maintained.

What I wonder:

  1. Is there a reason these libraries are no longer being maintained? Are there other popular methods besides OAuth2 that I might have missed?
  2. How can we ensure that this library starts being maintained again? Is there a procedure for this within thephpleague?
  3. If this library becomes maintained again, will we formulate a migration path from HWIOAuthBundle and mark that bundle as deprecated? The organization (HWI, https://hardware.info/) has ceased to exist. It's easier to maintain one library instead of two, and this aligns with The League's philosophy: "A problem shared is a problem halved."

See #1039

@mathieudz
Copy link

OAuth2 is not an authentication protocol, it's an authorization protocol, so the whole idea of this library is wrong:

The HWIOAuthBundle adds support for authenticating users via OAuth1.0a or OAuth2 in Symfony.

The proper protocol for authentication is OpenID Connect, which builds on top of OAuth2. There are symfony bundles for OIDC, e.g. https://github.com/halloverden/symfony-oidc-client-bundle

Symfony itself also provides some support for OIDC, but only in a scenario where the the front-end handles the token request: https://symfony.com/blog/new-in-symfony-6-3-openid-connect-token-handler

@ramsey
Copy link
Contributor

ramsey commented Dec 11, 2024

  1. This library is still maintained, but we are volunteers who do this in our free time. 😅
  2. This question is best directed at PHP League leadership.
  3. I'm not familiar with HWIOAuthBundle. It's not a PHP League package, so I'm a little confused. Are you suggesting the PHP League take over maintenance?

I've just released version 2.8.0 of oauth2-client, which includes many of the open pull requests, including support for PHP 8.4.

Version 3.0 of oauth2-client will drop the Guzzle requirement and fully support PSR-18.

OAuth2 is not an authentication protocol, it's an authorization protocol, so the whole idea of this library is wrong - @mathieudz

This library doesn't try to use OAuth2 as an authentication protocol. It's not a one-size-fits-all solution. Rather, it abstracts the most common behaviors that developers need to build and provides a way for developers to build on top of the abstraction to support any number of providers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants