A league/oauth2-client provider for GOV.UK Account

1.0.3 2022-11-24 18:45 UTC

This package is auto-updated.

Last update: 2022-11-24 18:45:47 UTC


A provider (based on PHP League OAuth2-Client) to interact with GOV.UK Account.

Supports autoconfiguration for most settings using the discovery endpoint.

For identity assurance (when verifying the JWT in , you will need to define the identity_assurance_public_key and expected_core_identity_issuer for the short interim until the key and issuer is published on the discovery endpoint.


The recommended way to install is through Composer.

composer require dvsa/php-govuk-account


You may want to refer to the documentation provided at PHP League OAuth2-Client as this package is a provider for that abstract package.

When instantiating the provider, the constructor accepts additional attributes defined in array $options = [] which are specific for this provider; in addition to the default options provided by the AbstractProvider (PHP League OAuth2-Client).

'discovery_endpoint' => 'https://oidc.integration.account.gov.uk/.well-known/openid-configuration', // Endpoint for OIDC discovery
'client_id' => '', // Client ID issued by GOV.UK Account
'keys' => [
  'algorithm' => '', // Algorithm for private_key
  'private_key' => '', // Private key used to encode assertion when obtaining access token (public key must be shared with GOV.UK Account)
  'identity_assurance_public_key' => [], // THe public key used to verify the JWTCoreIdentity token from UserDetails endpoint (if initial flow included identity assurance)
'redirect_uri' => [
  'logged_in' => '', // The url used for redirection back to the service
'expected_core_identity_issuer' => 'identity.integration.account.gov.uk', // Issuer for JWTCoreIdentity token


Please refer to our Contribution Guide and Contributor Code of Conduct.