Auth0 Home Blog Docs

Can I do an authorization code grant flow in Laravel?



I’m building a prototype to simulate what it would look like to convert a couple of our applications to using Auth0, so we can take advantage of single sign-on. I was able to get a Spring Boot API integrated and secured without any problem. Now, however, I’m having trouble with a Laravel web application that uses that API (disclaimer: I am not a PHP developer).

By following the tutorials and other documentation, I’ve gotten the application to the point that I can authenticate using an Auth0 hosted page, the user is created, and the token is stored. However, the access token I receive cannot be used with the Spring API. When I include it in the Authorization header, it just returns a ‘401’. I gather from other questions that what I’m getting is a simple “opaque” token, but I need a JWT that is linked to the API, possibly from an “Authorization Code Grant”?

Here is my configuration and code:

// laravel-auth0.php
$auth0Config = array(
    'domain'        => '',
    'client_id'     => 'xxxxxxx',
    'client_secret' => 'xxxxxxx',
    'redirect_uri'  => 'http://localhost:8000/auth0/callback',
    'persist_user' => true,
    'persist_access_token' => true,
    'persist_id_token' => true,
    'authorized_issuers'  =>  '' ],
    'api_identifier'  => '',
    // 'secret_base64_encoded'  => true,
    'suported_algs'        => 'RS256'],
return $auth0Config;

The value for api_identifier is the unique ID for the API I’m trying to use. That’s the “audience” I keep reading about, right?

Here is the code to redirect the user to Auth0…

// routes/web.php
// Auth0 login
Route::get('/auth0', function() {
    return Auth0::login(null, null, 'scope' => 'openid profile email customer:read customer:edit enrollment-code:validate'], 'code');
// Auth0 callback
Route::get('/auth0/callback', '\Auth0\Login\Auth0Controller@callback')

And then using the access token…

// service to inject the access token in API requests
    public function fetchProfile()
        $response = $this->http->get(
                'Authorization' => $this->getAuthorizationHeader()
        $profileResp = json_decode($response->getBody(), true);
        return $profileResp;

    private function getAuthorizationHeader()
        // If we're authenticated, then populate an Authorization header with
        // the user's token
        if (Auth::check()) {
            $token = Auth0::getAccessToken();
            $header = 'Bearer ' . $token;
            Log::debug('Set bearer token ' . $token);
            return $header;
        else {
            throw new \Exception('Not Authenticated.');

The access token I’m getting back looks like: KjAiQ3INu6K6KQkycdH2VeSKr_fWKvTc.

Can anyone point me in the right direction to get the web app and the API integrated?