I’m using Auth0 in my Laravel application. To date I’ve been using the auth0-laravel package which has worked alright, but there are some unresolved errors that I haven’t been able to troubleshoot. I also haven’t been a fan of the implementation, mostly because it was worked into an existing application. When a user logs in, Auth0 passes me back an EmployeeID which I have in a database. All I really need to do is try and look up that user and if they exist log them in, and if they don’t then authentication failed.
I’ve gone ahead and made a branch that directly uses the auth0-php SDK instead of auth0-laravel. It’s working, but, I’m just looking to get some extra eyes on it to make sure I’m not blatantly missing anything and that there aren’t any security concerns with my implementation.
Hey @stanley Good stuff, I think this looks solid! Offhand, I don’t see any issues, and it looks like all the essentials are covered. Please let us know how this works out for you in your application!
One thing I’m curious about and I can’t quite figure out; is it necessary to call $auth0->logout() to log the user out? When someone logs out of our application we want to make sure they’re forced to log back in again since the application is used from shared devices. I wasn’t sure if calling auth()->logout() and redirecting to the logout URL was sufficient, or if I should be calling $auth0->logout() as well.
Hey @stanley In this case I think you’ll want to do as you have proposed; each call will handle a different aspect of clearing out the user session. $auth0->logout() will call this portion of the SDK code which handles clearing out the local session state, and redirecting to the logout endpoint ensures the session is cleared on Auth0’s end.