Implementation review

Please include the following information in your post:

  • Which SDK this is regarding: auth0-php
  • SDK Version: 7.9.1
  • Platform Version: PHP 8
  • Code Snippets/Error Messages/Supporting Details/Screenshots:

Hi all,

I’m using Auth0 in my Laravel application. To date I’ve been using the auth0-laravel package which has worked alright, but there are some unresolved errors that I haven’t been able to troubleshoot. I also haven’t been a fan of the implementation, mostly because it was worked into an existing application. When a user logs in, Auth0 passes me back an EmployeeID which I have in a database. All I really need to do is try and look up that user and if they exist log them in, and if they don’t then authentication failed.

I’ve gone ahead and made a branch that directly uses the auth0-php SDK instead of auth0-laravel. It’s working, but, I’m just looking to get some extra eyes on it to make sure I’m not blatantly missing anything and that there aren’t any security concerns with my implementation.

Hope that’s alright, thanks!

Bumping this one back up, hoping to get some input, thanks!

Hey @stanley :wave: Good stuff, I think this looks solid! Offhand, I don’t see any issues, and it looks like all the essentials are covered. Please let us know how this works out for you in your application!

2 Likes

Thanks Evan for helping on this one!

1 Like

Thanks @evansims

One thing I’m curious about and I can’t quite figure out; is it necessary to call $auth0->logout() to log the user out? When someone logs out of our application we want to make sure they’re forced to log back in again since the application is used from shared devices. I wasn’t sure if calling auth()->logout() and redirecting to the logout URL was sufficient, or if I should be calling $auth0->logout() as well.

Thanks!

Hey @stanley :wave: In this case I think you’ll want to do as you have proposed; each call will handle a different aspect of clearing out the user session. $auth0->logout() will call this portion of the SDK code which handles clearing out the local session state, and redirecting to the logout endpoint ensures the session is cleared on Auth0’s end.

1 Like