Auth0-PHP - Update User Info After Profile Change

Hi there,

SDK: Auth0-PHP
Version: 7.9

I am currently working on integrating Auth0 into a PHP application. Everything is working quite well so far but I seem to be getting stuck when it comes to updating the user profile.

The user profile gets updated (from an API/backend perspective) no worries at all, but none of the changes are reflected for the current user session. For example, given the following code:

$options = array(
    'name' => $name,
    'email' => $email,
    'email_verified' => false,
    'verify_email' => true,
);
$mgmtApi->users()->update($userId, $options);

After the profile has been updated, the output of:

$auth0->getUser()

Is still showing the previous details (before the update). This obviously makes things pretty awkward for the user and makes email verification emails have no visible impact until the user logs out and back in.

From the research I have done I know I am clearly missing something but I am struggling to put the pieces together.

https://auth0.com/docs/api/authentication#get-user-info

States: “To access the most up-to-date values for the email or custom claims, you must get new tokens. You can log in using silent authentication (where the prompt parameter for your call to the authorize endpoint equals none )”

But I am not sure how I can do that from the SDK. I have tried (taken from other Auth0 documentation):

$authorizeUrl = $auth_api->get_authorize_link(
    'code',
    getenv('AUTH0_REDIRECT_URI'),
    null,
    $state_value,
    [
        // Optional API Audience to get an access token.
        'audience' => 'https://' . getenv('AUTH0_DOMAIN') . '/api/v2/',
        // Adjust ID token scopes requested.
        'scope' => getenv('AUTH0_SCOPE'),
        'prompt' => 'none',
    ]
);
header('Location: '. $authorizeUrl);
exit;

Which still doesn’t seem to do anything.

I know I can call the management API which would work in updating the ‘email’ property but it doesn’t solve updating ‘email_verified’ when a user clicks the verification link.

I would greatly appreciate some help/examples on how others are doing this in their PHP applications.

Hey @mooonstage4 Silent Authentication is meant for single-page applications and isn’t really a viable route to go with for PHP, if only for the fact that Auth0 will return the response of those calls in the form of a page fragment (a URL with a # hashtag, following by the parameters.)

GET https://YOUR_APP/callback
    #id_token=...&
    access_token=...&
    state=...&
    expires_in=...

Standard HTTP calls do not pass page fragments, as they’re meant to be client-side only; PHP doesn’t have any native way of reading those.

Truth be told, I don’t think we really have a super streamlined method of doing this at the moment from within the SDK, particularly in the 7.x branch. Have you tried calling the userinfo() method on the Auth0\API\Authentication class directly? I would’ve thought the response would include the updated profile information you’re looking for (I can see the API docs say otherwise, but worth trying.) If that was the case, you could then overwrite the persisted user data using setUser() on Auth0\SDK\Auth0.

You could try invoking your silent authentication flow, setting the redirect to a special callback in your application for the purposes of hitting userInfo() and updating the persisted user object at that point. I’m not certain, but that might be enough to force the email on the response to refresh.

(Unless I’m misunderstanding you and that’s what you’re trying already!)

Thanks for helping on this one Evan!

Hey again! Just wanted to confirm this will work without firing off any sort of reauthentication. I took some time and prototyped it today.

• Issue the user changes using Auth0\SDK\API\Management\Users::update()
• Pull the newly updated user data from the Auth0\SDK\API\Authentication::userinfo()
• Overwrite the local user data for the user session using Auth0\SDK\Auth0::setUser()

I’m uncertain why our API documents say otherwise on this, there might be some use cases where that is required for the values to update. However, as far as my actual testing with the API goes, this will work fine without reauthenticating.