@maxtor - Thanks for your patience here. I wanted to make sure I had a clear answer, as well as a path forward for our documentation, before I posted back.
I explored the Laravel Passport method a bit and I think we should support that flow but it’s going require some major changes in our module, as I mentioned above.
I think a better path forward would be to secure the API with Auth0 instead and use access tokens generated during login to authenticate users. I’m working on getting our quickstart in better shape (PR) to explain that step by step but I’ll summarize here while that’s being reviewed:
Create an API in Auth0 and add the scopes you want. If this API is only used for logged-in users to access or manage their own information and you don’t need separate scopes for separate actions, you can skip adding any scopes. This is the first section of the current API quickstart.
- Follow the second section of the quickstart as well but, after publishing the settings, you’ll need to make sure your
laravel-auth0.php config file includes the fields needed for API auth, shown in this Gist.
- The “Protect API Endpoints” is the same except we’re going to swap out the middleware code with what’s in this Gist. The public and private routes will stay the same.
- Finally, in your login handler (
Auth0IndexController from the web app quickstart), you need to add the
api_identifier value like so:
public function login()
$authorize_params = [
'scope' => 'openid email email_verified',
'audience' => config('laravel-auth0.api_identifier'),
return \App::make('auth0')->login(null, null, $authorize_params);
This is what gives you back a JWT token you can use against the API. You’ll want to persist the access token (
persist_access_token => true in the
laravel-auth0 config) and get that token to the front end somehow (your best bet is probably a cookie on the response in a custom middleware).
This gets you a public and a private API route, skipping scopes since I don’t think you need it based on what you’ve described so far. If you do, I can pass that code along as it’s all going into the re-written quickstart.
If you try this out, let me know if it works as expected and, if not, where you’re getting stuck. We appreciate your feedback so far and glad to be fixing the gaps you found in our documentation and samples.