I’m building a prototype to simulate what it would look like to convert a couple of our applications to using Auth0, so we can take advantage of single sign-on. I was able to get a Spring Boot API integrated and secured without any problem. Now, however, I’m having trouble with a Laravel web application that uses that API (disclaimer: I am not a PHP developer).
By following the tutorials and other documentation, I’ve gotten the application to the point that I can authenticate using an Auth0 hosted page, the user is created, and the token is stored. However, the access token I receive cannot be used with the Spring API. When I include it in the Authorization
header, it just returns a ‘401’. I gather from other questions that what I’m getting is a simple “opaque” token, but I need a JWT that is linked to the API, possibly from an “Authorization Code Grant”?
Here is my configuration and code:
// laravel-auth0.php
$auth0Config = array(
'domain' => 'cyberscouttest.auth0.com',
'client_id' => 'xxxxxxx',
'client_secret' => 'xxxxxxx',
'redirect_uri' => 'http://localhost:8000/auth0/callback',
'persist_user' => true,
'persist_access_token' => true,
'persist_id_token' => true,
'authorized_issuers' => 'https://cyberscouttest.auth0.com/' ],
'api_identifier' => 'https://imp-api.prototype.notaneye.com/',
// 'secret_base64_encoded' => true,
'suported_algs' => 'RS256'],
);
return $auth0Config;
The value for api_identifier
is the unique ID for the API I’m trying to use. That’s the “audience” I keep reading about, right?
Here is the code to redirect the user to Auth0…
// routes/web.php
Auth::routes();
// Auth0 login
Route::get('/auth0', function() {
return Auth0::login(null, null, 'scope' => 'openid profile email customer:read customer:edit enrollment-code:validate'], 'code');
})->name('auth0');
// Auth0 callback
Route::get('/auth0/callback', '\Auth0\Login\Auth0Controller@callback')
->name('auth0Callback');
And then using the access token…
// service to inject the access token in API requests
public function fetchProfile()
{
$response = $this->http->get(
'/profile',
'Authorization' => $this->getAuthorizationHeader()
]
);
$profileResp = json_decode($response->getBody(), true);
return $profileResp;
}
private function getAuthorizationHeader()
{
// If we're authenticated, then populate an Authorization header with
// the user's token
if (Auth::check()) {
$token = Auth0::getAccessToken();
$header = 'Bearer ' . $token;
Log::debug('Set bearer token ' . $token);
return $header;
}
else {
throw new \Exception('Not Authenticated.');
}
}
The access token I’m getting back looks like: KjAiQ3INu6K6KQkycdH2VeSKr_fWKvTc
.
Can anyone point me in the right direction to get the web app and the API integrated?