PKCEHelper
in package
Table of Contents
Properties
Methods
- __construct() : mixed
- authKitCodeExchange() : array<string|int, mixed>
- Exchange an authorization code with a PKCE code verifier.
- createPublicClient() : WorkOS
- Create a WorkOS client configured for PKCE-only / public-client usage.
- generate() : array{code_verifier: string, code_challenge: string, code_challenge_method: string}
- Generate a complete PKCE pair (verifier + challenge).
- generateCodeChallenge() : string
- Compute the S256 code challenge for a given verifier.
- generateCodeVerifier() : string
- Generate a cryptographically random code verifier.
- getAuthKitAuthorizationUrl() : array{url: mixed, code_verifier: string, state: string}
- Generate an AuthKit authorization URL with auto-generated PKCE parameters and state.
- getSsoAuthorizationUrl() : array{url: mixed, code_verifier: string, state: string}
- Generate an SSO authorization URL with auto-generated PKCE parameters and state.
- ssoCodeExchange() : array<string|int, mixed>
- Exchange an SSO authorization code with a PKCE code verifier.
- base64UrlEncode() : string
- Base64url-encode without padding, per RFC 7636.
Properties
$client read-only
private
HttpClient
$client
Methods
__construct()
public
__construct(HttpClient $client) : mixed
Parameters
- $client : HttpClient
authKitCodeExchange()
Exchange an authorization code with a PKCE code verifier.
public
authKitCodeExchange(string $code, string $codeVerifier, string $clientId) : array<string|int, mixed>
Parameters
- $code : string
-
The authorization code.
- $codeVerifier : string
-
The PKCE code verifier.
- $clientId : string
-
The WorkOS client ID.
Return values
array<string|int, mixed> —The authentication response.
createPublicClient()
Create a WorkOS client configured for PKCE-only / public-client usage.
public
static createPublicClient(string $clientId[, string $baseUrl = 'https://api.workos.com' ]) : WorkOS
Public clients do not use an API key (client_secret). This factory creates a WorkOS instance suitable for browser-side or mobile flows where the client secret cannot be safely stored.
Parameters
- $clientId : string
-
The WorkOS client ID.
- $baseUrl : string = 'https://api.workos.com'
-
The WorkOS API base URL. Defaults to production.
Return values
WorkOS —A WorkOS client configured for public-client usage.
generate()
Generate a complete PKCE pair (verifier + challenge).
public
static generate() : array{code_verifier: string, code_challenge: string, code_challenge_method: string}
Return values
array{code_verifier: string, code_challenge: string, code_challenge_method: string}generateCodeChallenge()
Compute the S256 code challenge for a given verifier.
public
static generateCodeChallenge(string $verifier) : string
Parameters
- $verifier : string
-
The code verifier string.
Return values
string —The base64url-encoded SHA-256 hash of the verifier.
generateCodeVerifier()
Generate a cryptographically random code verifier.
public
static generateCodeVerifier([int $length = 43 ]) : string
Parameters
- $length : int = 43
-
Length of the verifier string (43-128 per RFC 7636).
Tags
Return values
string —A base64url-encoded random string of the requested length.
getAuthKitAuthorizationUrl()
Generate an AuthKit authorization URL with auto-generated PKCE parameters and state.
public
getAuthKitAuthorizationUrl(string $redirectUri, string $clientId[, string|null $state = null ][, string|null $provider = null ][, string|null $connectionId = null ][, string|null $organizationId = null ][, string|null $domainHint = null ][, string|null $loginHint = null ][, string|null $screenHint = null ]) : array{url: mixed, code_verifier: string, state: string}
Parameters
- $redirectUri : string
-
The redirect URI.
- $clientId : string
-
The WorkOS client ID.
- $state : string|null = null
-
Optional state parameter. Auto-generated if null.
- $provider : string|null = null
-
Optional auth provider.
- $connectionId : string|null = null
-
Optional connection ID.
- $organizationId : string|null = null
-
Optional organization ID.
- $domainHint : string|null = null
-
Optional domain hint.
- $loginHint : string|null = null
-
Optional login hint.
- $screenHint : string|null = null
-
Optional screen hint.
Return values
array{url: mixed, code_verifier: string, state: string}getSsoAuthorizationUrl()
Generate an SSO authorization URL with auto-generated PKCE parameters and state.
public
getSsoAuthorizationUrl(string $redirectUri, string $clientId[, string|null $state = null ][, string|null $domain = null ][, string|null $provider = null ][, string|null $connection = null ][, string|null $organization = null ][, string|null $domainHint = null ][, string|null $loginHint = null ]) : array{url: mixed, code_verifier: string, state: string}
Parameters
- $redirectUri : string
-
The redirect URI.
- $clientId : string
-
The WorkOS client ID.
- $state : string|null = null
-
Optional state parameter. Auto-generated if null.
- $domain : string|null = null
-
Optional SSO domain.
- $provider : string|null = null
-
Optional SSO provider.
- $connection : string|null = null
-
Optional connection ID.
- $organization : string|null = null
-
Optional organization ID.
- $domainHint : string|null = null
-
Optional domain hint.
- $loginHint : string|null = null
-
Optional login hint.
Return values
array{url: mixed, code_verifier: string, state: string}ssoCodeExchange()
Exchange an SSO authorization code with a PKCE code verifier.
public
ssoCodeExchange(string $code, string $codeVerifier, string $clientId) : array<string|int, mixed>
Parameters
- $code : string
-
The authorization code.
- $codeVerifier : string
-
The PKCE code verifier.
- $clientId : string
-
The WorkOS client ID.
Return values
array<string|int, mixed> —The SSO token response.
base64UrlEncode()
Base64url-encode without padding, per RFC 7636.
private
static base64UrlEncode(string $data) : string
Parameters
- $data : string