Auth0 to validate Cloudflare JWT

adamevers · October 29, 2022, 3:31am

Hello!

I’ve been using the auth0 library to validate Cloudflare JWTs. I used this tutorial buttt it looks like it’s broken given the move from auth0-php v7 to v8 and I’m wondering if anyone could help me figure out how to update the code.

I wasn’t able to find a replacement for AsymmetricVerifier in v8.

Any suggestions?

dan.woda · October 31, 2022, 6:23pm

Hi @adamevers,

Welcome to the Auth0 Community!

Let me reach out to the maintainer and see if they can help.

cc: @evansims

evansims · October 31, 2022, 6:47pm

Hey @adamevers Thanks for reaching out, and welcome to the Community!

As you noticed, there were some pretty significant changes in the transition between v7 and v8 of the SDK — one of which was transitioning from using the underlying lcobucci/jwt library mentioned in that blog post, to using our own approach for token parsing/validation/verification.

I have not tried applying v8 of the PHP SDK to handling JWTs from Cloudflare specifically, so admittedly your mileage may vary, but, I can’t think of any specific reason why it shouldn’t handle them just fine offhand.

In SDK v8, you can use the Auth0\SDK\Auth0::decode() method to handle parsing, validating and verifying a token in one go. Here’s some example code for this process from the EXAMPLES.md file:

use Auth0\SDK\Auth0;
use Auth0\SDK\Token;
use Auth0\SDK\Configuration\SdkConfiguration;

$configuration = new SdkConfiguration(
    strategy: SdkConfiguration::STRATEGY_API,
    domain: '...',
    clientId: '...',
    clientSecret: '..',
);

$auth0 = new Auth0($configuration);

$token = $auth0->decode(
    token: 'YOUR_ACCESS_TOKEN_HERE',
    tokenType: Token::TYPE_TOKEN, // This tells the SDK to treat the token as an Access Token, rather than ID Token.
    // ... other paramters are available, see the API reference:
    // ... https://auth0.github.io/auth0-PHP/classes/Auth0-SDK-Auth0.html#method_decode
);

print_r($token);

It’s important to note that the SDK will use the information configured from SdkConfiguration in how it handles verifying the token signature and validating its claim. You may need to make overrides to the decode() method parameters for non-Auth0 JWT tokens, I’m not certain, to be honest.

If you need a little more control over the individual steps in your token handling, you can create an SDK Token instance yourself (e.g. $token = new \Auth0\SDK\Token($sdkConfigurationInstance, $accessTokenString, \Auth0\SDK\Token::TYPE_TOKEN) and then use the $token->verify() and $token->validate() methods on that class from there. Those methods have override parameters that may prove beneficial in handling non-Auth0 JWTs.

Please do let us know how it goes, I’d be curious to hear!