Need help with oauth2-azure?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

158 Stars 72 Forks MIT License 125 Commits 47 Opened issues


Azure AD provider for the OAuth 2.0 Client.

Services available


Need anything else?

Contributors list

Azure Active Directory Provider for OAuth 2.0 Client

Latest Version Total Downloads Software License

This package provides Azure Active Directory OAuth 2.0 support for the PHP League's OAuth 2.0 Client.

Table of Contents


To install, use composer:

composer require thenetworg/oauth2-azure


Usage is the same as The League's OAuth client, using

as the provider.

Authorization Code Flow

$provider = new TheNetworg\OAuth2\Client\Provider\Azure([
    'clientId'          => '{azure-client-id}',
    'clientSecret'      => '{azure-client-secret}',
    'redirectUri'       => '',
    'scopes'            => ['openid'],
    'defaultEndPointVersion' => '2.0'

// Set to use v2 API, skip the line or set the value to Azure::ENDPOINT_VERSION_1_0 if willing to use v1 API $provider->defaultEndPointVersion = TheNetworg\OAuth2\Client\Provider\Azure::ENDPOINT_VERSION_2_0;

$baseGraphUri = $provider->getRootMicrosoftGraphUri(null); $provider->scope = 'openid profile email offline_access ' . $baseGraphUri . '/User.Read';

if (isset($_GET['code']) && isset($_SESSION['OAuth2.state']) && isset($_GET['state'])) { if ($_GET['state'] == $_SESSION['OAuth2.state']) { unset($_SESSION['OAuth2.state']);

    // Try to get an access token (using the authorization code grant)
    /** @var AccessToken $token */
    $token = $provider->getAccessToken('authorization_code', [
        'scope' => $provider->scope,
        'code' => $_GET['code'],

    // Verify token
    // Save it to local server session data

    return $token->getToken();
} else {
    echo 'Invalid state';

    return null;

} else { // // Check local server's session data for a token // // and verify if still valid // /** @var ?AccessToken $token */ // $token = // token cached in session data, null if not found; // // if (isset($token)) { // $me = $provider->get($provider->getRootMicrosoftGraphUri($token) . '/v1.0/me', $token); // $userEmail = $me['mail']; // // if ($token->hasExpired()) { // if (!is_null($token->getRefreshToken())) { // $token = $provider->getAccessToken('refresh_token', [ // 'scope' => $provider->scope, // 'refresh_token' => $token->getRefreshToken() // ]); // } else { // $token = null; // } // } //} // // If the token is not found in // if (!isset($token)) { $authorizationUrl = $provider->getAuthorizationUrl(['scope' => $provider->scope]);

    $_SESSION['OAuth2.state'] = $provider->getState();

    header('Location: ' . $authorizationUrl);

// }

return $token->getToken();


Advanced flow

The Authorization Code Grant Flow is a little bit different for Azure Active Directory. Instead of scopes, you specify the resource which you would like to access - there is a param

which will automatically populate the
param of request with the value of either
. This feature is mostly intended for v2.0 endpoint of Azure AD (see more here).

Using custom parameters

With oauth2-client of version 1.3.0 and higher, it is now possible to specify custom parameters for the authorization URL, so you can now make use of options like

and similar. See the following example of obtaining an authorization URL which will force the user to reauthenticate:
$authUrl = $provider->getAuthorizationUrl([
    'prompt' => 'login'
You can find additional parameters here.

Logging out

If you need to quickly generate a logout URL for the user, you can do following:

// Assuming you have provider properly initialized.
$post_logout_redirect_uri = ''; // The logout destination after the user is logged out from their account.
$logoutUrl = $provider->getLogoutUrl($post_logout_redirect_uri);
header('Location: '.$logoutUrl); // Redirect the user to the generated URL

Call on behalf of a token provided by another app

// Use token provided by the other app
// Make sure the other app mentioned this app in the scope when requesting the token
$suppliedToken = '';  

$provider = xxxxx;// Initialize provider

// Call this to get claims // $claims = $provider->validateAccessToken($suppliedToken);

/** @var AccessToken $token */ $token = $provider->getAccessToken('jwt_bearer', [ 'scope' => $provider->scope, 'assertion' => $suppliedToken, 'requested_token_use' => 'on_behalf_of', ]);

Making API Requests

This library also provides easy interface to make it easier to interact with Azure Graph API and Microsoft Graph, the following methods are available on

object (it also handles automatic token refresh flow should it be needed during making the request):
  • get($ref, $accessToken, $headers = [])
  • post($ref, $body, $accessToken, $headers = [])
  • put($ref, $body, $accessToken, $headers = [])
  • delete($ref, $body, $accessToken, $headers = [])
  • patch($ref, $body, $accessToken, $headers = [])
  • getObjects($tenant, $ref, $accessToken, $headers = [])
    This is used for example for listing large amount of data - where you need to list all users for example - it automatically follows
    until the end.
    • $tenant
      tenant has to be provided since the
      doesn't contain it.
  • request($method, $ref, $accessToken, $options = [])
    See #36 for use case.

Please note that if you need to create a custom request, the method getAuthenticatedRequest and getResponse can still be used.


  • $ref
    The URL reference without the leading
    , for example
  • $body
    The contents of the request, make has to be either string (so make sure to use
    to encode the request)s or stream (see Guzzle HTTP)
  • $accessToken
    The access token object obtained by using
  • $headers
    Ability to set custom headers for the request (see Guzzle HTTP)

Resource Owner

With version 1.1.0 and onward, the Resource Owner information is parsed from the JWT passed in

by Azure Active Directory. It exposes few attributes and one function.


$resourceOwner = $provider->getResourceOwner($token);
echo 'Hello, '.$resourceOwner->getFirstName().'!';
The exposed attributes and function are: -
- Gets user's object id - unique for each user -
- Gets user's first name -
- Gets user's family name/surname -
- Gets id of tenant which the user is member of -
- Gets user's User Principal Name, which can be also used as user's e-mail address -
- Gets any other claim (specified as
) from the JWT, full list can be found here

Microsoft Graph

Calling Microsoft Graph is very simple with this library. After provider initialization simply change the API URL followingly (replace

with your desired version): ```php // Mention Microsoft Graph scope when initializing the provider $baseGraphUri = $provider->getRootMicrosoftGraphUri(null); $provider->scope = 'your scope ' . $baseGraphUri . '/User.Read';

// Call a query $provider->get($provider->getRootMicrosoftGraphUri($token) . '/v1.0/me', $token); ``

After that, when requesting access token, refresh token or so, provide the
with value
in order to be able to make calls to the Graph (see more about
resource` here).

Protecting your API - experimental

With version 1.2.0 you can now use this library to protect your API with Azure Active Directory authentication very easily. The Provider now also exposes

validateAccessToken(string $token)
which lets you pass an access token inside which you for example received in the
header of the request on your API. You can use the function followingly (in vanilla PHP): ```php // Assuming you have already initialized the $provider

// Obtain the accessToken - in this case, we are getting it from Authorization header $headers = getallheaders(); // Assuming you got the value of Authorization header as "Bearer [theaccesstoken]" we parse it $authorization = explode(' ', $headers['Authorization']); $accessToken = $authorization[1];

try { $claims = $provider->validateAccessToken($accessToken); } catch (Exception $e) { // Something happened, handle the error }

// The access token is valid, you can now proceed with your code. You can also access the $claims as defined in JWT - for example roles, group memberships etc. ```

You may also need to access some other resource from the API like the Microsoft Graph to get some additional information. In order to do that, there is

grant available (RFC). An example (assuming you have the code above working and you have the required permissions configured correctly in the Azure AD application): ```php $graphAccessToken = $provider->getAccessToken('jwtbearer', [ 'resource' => '', 'assertion' => $accessToken, 'requestedtokenuse' => 'onbehalf_of' ]);

$me = $provider->get('', $graphAccessToken); printr($me); ``

Just to make it easier so you don't have to remember entire name for

), you just use short
jwt_bearer` instead.

Azure Active Directory B2C - experimental

You can also now very simply make use of Azure Active Directory B2C. Before authentication, change the endpoints using

and additionally specify your login policy. Please note that the B2C support is still experimental and wasn't fully tested. ```php $provider->pathAuthorize = "/oauth2/v2.0/authorize"; $provider->pathToken = "/oauth2/v2.0/token"; $provider->scope = ["idtoken"];

// Specify custom policy in our authorization URL $authUrl = $provider->getAuthorizationUrl([ 'p' => 'b2c1siup' ]); ```

Multipurpose refresh tokens - experimental

In cause that you need to access multiple resources (like your API and Microsoft Graph), you can use multipurpose refresh tokens. Once obtaining a token for first resource, you can simply request another token for different resource like so:

$accessToken2 = $provider->getAccessToken('refresh_token', [
    'refresh_token' => $accessToken1->getRefreshToken(),
    'resource' => 'http://urlOfYourSecondResource'
At the moment, there is one issue: When you make a call to your API and the token has expired, it will have the value of
which is obviously wrong for
. The solution is very simple - set the
to the resource which you want to call. This issue will be addressed in future release. Please note that this is experimental and wasn't fully tested.

Known users

If you are using this library and would like to be listed here, please let us know! - TheNetworg/DreamSpark-SSO


We accept contributions via Pull Requests on Github.



If you find a bug or encounter any issue or have a problem/question with this library please create a new issue.


The MIT License (MIT). Please see License File for more information.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.