> For the complete documentation index, see [llms.txt](https://svgtas-organization.gitbook.io/php-oidc-client/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://svgtas-organization.gitbook.io/php-oidc-client/deal-with-the-provider/tokens-managment.md).

# Tokens managment

## **Information**

All tokens get by the differents methods are set in session.

The *id\_token* must be a JWS (JWT signed by the OP with a key known in it's *jwks\_uri* endpoint or signed with the *client\_secret*).

***

## **Flow code, implicit, hybrid**

Generaly used by the callback url after the authorization on the OP for code or hybrid.

Basic usage :

```php
$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);

$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$tokens = $tokenRes->get_tokens(); 
```

***

## **Password grant**

The *Password grant* flow should not be used. See explanation on : <https://www.oauth.com/oauth2-servers/access-tokens/password-grant/>

If your OP don't accept it, you can not used it.

Basic usage :

```php
$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);

$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$tokens = $tokenRes->password_grant($username, $password); 
```

***

## **Client credentials**

This flow is used when applications request an *access\_token* to access their own resources.

Basic usage :

```php
$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);

$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$scopes = 'write read';
$tokens = $tokenRes->client_credentials($scopes); //$scopes is optionnal
```

***

## **Refresh token**

To get new *access\_token* and *id\_token*. The refresh\_token must be send with the others tokens. Generaly, in the authorization flow, the scope *offline\_access* must be used.

Basic usage :

```php
$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);

$tokenRes = $client->token();
// add options for authentication if needed
// example : $tokenRes->set_auth_method('client_secret_post');
//
$tokens = $tokenRes->refresh_token($refresh_token); 
// the var refresh_token is optionnal. If not set, the library try to find it in its session.
```

***

## **Introspect token**

The OP must have *introspection\_endpoint* set.

> The instrospection endpoint is not defined in OpenId Connect Provider Metadata (<https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata>). You can add it with (it's an example) :
>
> ```php
>  $client->add_OP_info('introspection_endpoint', 'https://id.provider.com/intro');
> ```

Based on [rfc7662](https://www.rfc-editor.org/rfc/rfc7662), the token must be an *access\_token* or a *refresh\_token*.

**Usage :**

```php
$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);
// ...

$tokenRes = $client->token();
// ...

$token = '...AccessTokenValue';
$type = 'access_token';
// OR
$token = '...refreshTokenValue';
$type = 'refresh_token';
// $type is optional. If set, it must have 'refresh_token' or 'access_token' value
//..
$revokeResponse = $tokens->introspect_token($token, $type); 
```

***

## **Revoke token**

Only *access\_token* and *refresh\_token* can be used.

The OP must have *revocation\_endpoint* set.

> The revocation endpoint is not defined in OpenId Connect Provider Metadata (<https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata>). You can add it with (it's an example) :
>
> ```php
>  $client->add_OP_info('revocation_endpoint', 'https://id.provider.com/revoke');
> ```

**Usage :**

```php
$client = new Svgta\OidcClient\init(
  'https://id.provider.com/.well-known/openid-configuration',
  'Your_client_id',
  'Your_client_secret'
);
// ...

$tokenRes = $client->token();
// ...

$token = '...AccessTokenValue';
$type = 'access_token';
// OR
$token = '...refreshTokenValue';
$type = 'refresh_token';
// $type is optionnal. If set, it must have 'refresh_token' or 'access_token' value
//..
$revokeResponse = $tokens->revoke_token($token, $type); 
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://svgtas-organization.gitbook.io/php-oidc-client/deal-with-the-provider/tokens-managment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.