Hey @adamevers Thanks for reaching out, and welcome to the Community!
As you noticed, there were some pretty significant changes in the transition between v7 and v8 of the SDK — one of which was transitioning from using the underlying lcobucci/jwt library mentioned in that blog post, to using our own approach for token parsing/validation/verification.
I have not tried applying v8 of the PHP SDK to handling JWTs from Cloudflare specifically, so admittedly your mileage may vary, but, I can’t think of any specific reason why it shouldn’t handle them just fine offhand.
In SDK v8, you can use the Auth0\SDK\Auth0::decode()
method to handle parsing, validating and verifying a token in one go. Here’s some example code for this process from the EXAMPLES.md file:
use Auth0\SDK\Auth0;
use Auth0\SDK\Token;
use Auth0\SDK\Configuration\SdkConfiguration;
$configuration = new SdkConfiguration(
strategy: SdkConfiguration::STRATEGY_API,
domain: '...',
clientId: '...',
clientSecret: '..',
);
$auth0 = new Auth0($configuration);
$token = $auth0->decode(
token: 'YOUR_ACCESS_TOKEN_HERE',
tokenType: Token::TYPE_TOKEN, // This tells the SDK to treat the token as an Access Token, rather than ID Token.
// ... other paramters are available, see the API reference:
// ... https://auth0.github.io/auth0-PHP/classes/Auth0-SDK-Auth0.html#method_decode
);
print_r($token);
It’s important to note that the SDK will use the information configured from SdkConfiguration
in how it handles verifying the token signature and validating its claim. You may need to make overrides to the decode()
method parameters for non-Auth0 JWT tokens, I’m not certain, to be honest.
If you need a little more control over the individual steps in your token handling, you can create an SDK Token
instance yourself (e.g. $token = new \Auth0\SDK\Token($sdkConfigurationInstance, $accessTokenString, \Auth0\SDK\Token::TYPE_TOKEN)
and then use the $token->verify()
and $token->validate()
methods on that class from there. Those methods have override parameters that may prove beneficial in handling non-Auth0 JWTs.
Please do let us know how it goes, I’d be curious to hear!