Combine Universal login and Authentication API login - PHP SDK

I am rebuilding a checkout flow. Earlier the user was sent to the Universal Login in order to create their login credentials during the checkout. But now the user fills in email and password in the checkout form.

I create the user in Auth0 with the Management API and then login the user with the Authentication API after a checkout is complete. In order to make the flow as easy as possible for the user.

If the user logs out, they login again using the Universal Login.

The issue I get is that the PHP SDK method $auth0->getUser() gets different data depending on if the user has logged in via Universal login or if they were logged in via Auth API.

This leads to an issue that the user can’t automatically login (if a cookie expires or is removed) without entering email and password again if I send them to the Universal login if they were logged in via the Auth API. I guess is due to the fact that the user logged in via Auth API are missing some important data in the user object.

This is the code I run to login the user via Auth API and saving it using PHP SDK:

$auth0 = new Auth0([
    'domain'        => AUTH_DOMAIN,
    'client_id'     => AUTH_CLIENT_ID,
    'client_secret' => AUTH_CLIENT_SECRET,
    'redirect_uri'  => AUTH_CALLBACK,

$auth_api = new Authentication(AUTH_DOMAIN, AUTH_CLIENT_ID, AUTH_CLIENT_SECRET);

$response = $auth_api->login([
    'username' => $email,
    'password' => $password,
    'realm' => 'Username-Password-Authentication',

$user = $auth_api->userinfo($response['access_token']);


// This method returns the different objects in attached screenshot

See attached image. Left is user logged in via Univeral Login, right is via Auth API.

Hi @dick.tornfeldt,

Thanks for your question!

It looks like you’re using an old version of the PHP SDK, as that configuration syntax has not been supported in a few years — be sure to update!

The difference you see here is that those additional values are part of the ID Token retrieved from Auth0 during the authentication flow — they are not part of the user profile or metadata as retrieved from the /userinfo endpoint or the Management API. They’re unique to the scope of the authentication process and differ with each login. Attempting to set up authentication state with the SDK in this manner won’t work.


Thanks for your answer, makes sense!

We are planning to update the SDK asap, but you know, as long as it works it’s hard to get time for work like this :slight_smile: … Just to be clear, it’s not like our current integration will stop working any day soon right?

Best regards

1 Like

Thanks for helping on this one @evansims !

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.