Auth0-php regular web app + API

Hi, i belive i found the reson for the issue :slight_smile:

It looks like i get a Opaque tokens and not a JSON Web Token (JWT).

From this post:

To get the JWT i added this code:

        echo "<h2>Get JWT Token</h2>";

        $curl = curl_init();

        curl_setopt_array($curl, [
          CURLOPT_URL => "https://".$_ENV['AUTH0_DOMAIN']."/oauth/token",
          CURLOPT_RETURNTRANSFER => true,
          CURLOPT_ENCODING => "",
          CURLOPT_MAXREDIRS => 10,
          CURLOPT_TIMEOUT => 30,
          CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
          CURLOPT_CUSTOMREQUEST => "POST",
          CURLOPT_POSTFIELDS => "grant_type=client_credentials&client_id=".$_ENV['AUTH0_CLIENT_ID']."&client_secret=".$_ENV['AUTH0_CLIENT_SECRET']."&audience=".$_ENV['AUTH0_AUDIENCE'],
          CURLOPT_HTTPHEADER => [
            "content-type: application/x-www-form-urlencoded"
          ],
        ]);
        
        $response = curl_exec($curl);
        $err = curl_error($curl);
        
        curl_close($curl);
        
        if ($err) {
          echo "cURL Error #:" . $err;
        } else {
            $response = json_decode($response);
            echo $response->access_token;
        }

So now my full test app looks like this:

<?php

declare(strict_types=1);

use Auth0\Quickstart\Application;
use Auth0\Quickstart\Contract\QuickstartExample;
use Auth0\SDK\Auth0;
use Auth0\SDK\Configuration\SdkConfiguration;
use Steampixel\Route;


 // Set app root.
 define('APP_ROOT', realpath(__DIR__ . DIRECTORY_SEPARATOR));

 // The following globals don't get set during tests: apply some safe defaults.
 if (! isset($_SERVER['SERVER_PORT'])) {
     $_SERVER['SERVER_PORT'] = 80;
 }
 
 if (! isset($_SERVER['SERVER_NAME'])) {
     $_SERVER['SERVER_NAME'] = '127.0.0.1';
 }
 
 if (! isset($_SERVER['REQUEST_URI'])) {
     $_SERVER['REQUEST_URI'] = '/';
 }
 
// Import the files necessary for our Quickstart Application.
foreach ([
    'vendor/autoload.php', // Composer autoloader, for our dependencies, such as the SDK itself.

    // These classes are application boilerplate and not directly relevant to SDK usage:
    //'src/ApplicationRouter.php',
    //'src/ApplicationTemplates.php',
    //'src/ApplicationErrorHandler.php',

    // Import our Application class, where our app logic resides, and where we'll make our SDK calls.
    //'src/Application.php',
] as $import) {
    require_once join(DIRECTORY_SEPARATOR, [APP_ROOT, $import]);
}

// Load configuration from .env file in project root.
(Dotenv\Dotenv::createImmutable(APP_ROOT))->load();

// Now instantiate the Auth0 class with our configuration:
$auth0 = new \Auth0\SDK\Auth0([
    'domain' => $_ENV['AUTH0_DOMAIN'],
    'clientId' => $_ENV['AUTH0_CLIENT_ID'],
    'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
    'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
]);
//     'audience' => $_ENV['AUTH0_AUDIENCE']


// Define route constants:
define('ROUTE_URL_INDEX', rtrim($_ENV['AUTH0_BASE_URL'], '/'));
define('ROUTE_URL_LOGIN', ROUTE_URL_INDEX . '/login');
define('ROUTE_URL_CALLBACK', ROUTE_URL_INDEX . '/callback');
define('ROUTE_URL_LOGOUT', ROUTE_URL_INDEX . '/logout');


Route::add('/', function() use ($auth0) {
    $session = $auth0->getCredentials();
  
    if ($session === null) {
        // The user isn't logged in.
        echo '<p>Please <a href="/login">log in</a>.</p>';
        return;
    } else {
        // The user is logged in.
        echo "<h2>Session data ouput</h2>";
        echo '<pre>';
        print_r($session->user);
        echo '</pre>';
        // AccessToken
        echo '<pre>';
        print_r($session->accessToken);
        echo '</pre>';
        
        echo "<h2>Get JWT Token</h2>";

        $curl = curl_init();

        curl_setopt_array($curl, [
          CURLOPT_URL => "https://".$_ENV['AUTH0_DOMAIN']."/oauth/token",
          CURLOPT_RETURNTRANSFER => true,
          CURLOPT_ENCODING => "",
          CURLOPT_MAXREDIRS => 10,
          CURLOPT_TIMEOUT => 30,
          CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
          CURLOPT_CUSTOMREQUEST => "POST",
          CURLOPT_POSTFIELDS => "grant_type=client_credentials&client_id=".$_ENV['AUTH0_CLIENT_ID']."&client_secret=".$_ENV['AUTH0_CLIENT_SECRET']."&audience=".$_ENV['AUTH0_AUDIENCE'],
          CURLOPT_HTTPHEADER => [
            "content-type: application/x-www-form-urlencoded"
          ],
        ]);
        
        $response = curl_exec($curl);
        $err = curl_error($curl);
        
        curl_close($curl);
        
        if ($err) {
          echo "cURL Error #:" . $err;
        } else {
            $response = json_decode($response);
            echo $response->access_token;
        }

        echo "<h2>Access API</h2>";
        $curl = curl_init();

        curl_setopt_array($curl, array(
          CURLOPT_URL => "https://vismaapi.bjerge.com/api/private",
          CURLOPT_RETURNTRANSFER => true,
          CURLOPT_ENCODING => "",
          CURLOPT_MAXREDIRS => 10,
          CURLOPT_TIMEOUT => 30,
          CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
          CURLOPT_CUSTOMREQUEST => "GET",
          CURLOPT_HTTPHEADER => array(
            "authorization: Bearer $response->access_token"
          ),
        ));
        
        $response = curl_exec($curl);
        $err = curl_error($curl);
        
        curl_close($curl);
        
        if ($err) {
          echo "cURL Error #:" . $err;
        } else {
          echo $response;
        }


        echo '<p>You can now <a href="/logout">log out</a>.</p>';
    }
  });

Route::add('/login', function() use ($auth0) {
    // It's a good idea to reset user sessions each time they go to login to avoid "invalid state" errors, should they hit network issues or other problems that interrupt a previous login process:
    $auth0->clear();

    // Finally, set up the local application session, and redirect the user to the Auth0 Universal Login Page to authenticate.
    header("Location: " . $auth0->login(ROUTE_URL_CALLBACK));
    exit;
});

Route::add('/callback', function() use ($auth0) {
    // Have the SDK complete the authentication flow:
    $auth0->exchange(ROUTE_URL_CALLBACK);

    // Finally, redirect our end user back to the / index route, to display their user profile:
    header("Location: " . ROUTE_URL_INDEX);
    exit;
});


Route::add('/logout', function() use ($auth0) {
    // Clear the user's local session with our app, then redirect them to the Auth0 logout endpoint to clear their Auth0 session.
    header("Location: " . $auth0->logout(ROUTE_URL_INDEX));
    exit;
});

// This tells our router that we've finished configuring our routes, and we're ready to begin routing incoming HTTP requests:
Route::run('/');
3 Likes