Laravel 9 / Auth0 SDK 7 - need 2 auth guards for web vs API paths

toby5box · January 13, 2023, 5:39pm

We use both web app auth (session) for admin and stateless (jwt) for our API

– got this working with considerable effort with Laravel 8 + Auth0 SDK v6

– we are trying to update to Laravel 9 and Auth0 SDK v7

– I have web auth (session) working but only using the default user provider implementation (Auth0 user entity)

– we need to identify users against our own local tables in both scenarios

Taking the fairly obvious approach, our auth.php has this:

'guards' => [
  'admin' => [
    'driver' => 'auth0',
    'provider' => 'admins'
  ],
  'api' => [
    'driver' => 'auth0',
    'provider' => 'users'
  ]
],


'providers' => [
  'admins' => [
    'driver' => 'auth0',
    'model' => App\Providers\AdminUserProvider::class
  ],
  'users' => [ ... ],
],

I have a stub AdminUserProvider implementation that just does logging. It wasn’t used in our Laravel 8 Auth0 integration.

It looks like it is not being called by Auth0 in this configuration which leaves me wondering how we can customise user provider which is important to our need for two distinct authentication paths (which start with Auth0 authentication).

toby5box · January 13, 2023, 5:44pm

I found this page, which might have the clue.

github.com

auth0/laravel-auth0/blob/main/EXAMPLES.md#creating-a-custom-user-model

# Examples using laravel-auth0

- [Custom user models and repositories](#custom-user-models-and-repositories)
- [Authorizing HTTP tests](#authorizing-http-tests)

## Custom user models and repositories

In Laravel, a User Repository is an interface that sits between your authentication source (Auth0) and core Laravel authentication services. It allows you to shape and manipulate the user model and it's data as you need to.

For example, Auth0's unique identifier is a `string` in the format `auth0|123456abcdef`. If you were to attempt to persist a user to many traditional databases you'd likely encounter an error as, by default, a unique identifier is often exected to be an `integer` rather than a `string` type. A custom user model and repository is a great way to address integration challenges like this.

### Creating a custom user model

Let's setup a custom user model for our application. To do this, let's create a file at `app/Auth/Models/User.php` within our Laravel project. This new class needs to implement the `Illuminate\Contracts\Auth\Authenticatable` interface to be compatible with Laravel's Guard API and this SDK. It must also implement either `Auth0\Laravel\Contract\Model\Stateful\User` or `Auth0\Laravel\Contract\Model\Stateless\User` depending on your application's needs. For example:

```php
<?php

declare(strict_types=1);

This file has been truncated. show original

Checking.

toby5box · January 14, 2023, 12:59am

Unfortunately I can’t get Auth0 to use my CustomUserProvider.

Config:

'defaults' => [
    'guard' => 'auth0' 
],

'guards' => [
  'auth0' => [
    'driver' => 'auth0',
    'provider' => 'auth0'
  ]
],

'providers' => [
  'auth0' => [
    'driver' => 'auth0',
    'model' => App\Auth\CustomUserRepository::class
  ],
],


namespace App\Auth;

use App\Models\Admin;
use App\Models\User;

use Illuminate\Contracts\Auth\Authenticatable;

class CustomUserRepository implements \Auth0\Laravel\Contract\Auth\User\Repository
{
  /**
   * Generate a \Auth0\Laravel\Model\Stateful\User instance from an available Auth0-PHP user session.
   *
   * @param  array  $user  an array containing the raw Auth0 user data
   */
  public function fromSession(array $user): ?Authenticatable {
    return Admin::whereEmail($user['email'])->first();
  }

  /**
   * Generate a \Auth0\Laravel\Model\Stateful\User instance from a parsed Access Token.
   *
   * @param  array  $user  an array containing the raw Auth0 user data
   */
  public function fromAccessToken(array $user): ?Authenticatable {
    return User::whereEmail($user['email'])->first();
  }
}

Auth0 does not invoke this class.

Models:


namespace App\Models;

use Illuminate\Database\Eloquent\Factories\HasFactory;

use Auth0\Laravel\Contract\Model\Stateful\User as StatefulUser;
use Illuminate\Auth\Authenticatable;
use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableUser;

class Admin implements StatefulUser, AuthenticatableUser
{
    use HasFactory, Authenticatable;
    ...


namespace App\Models;

use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Relations\HasMany;
use Illuminate\Notifications\Notifiable;

use Illuminate\Database\Eloquent\Relations\BelongsToMany;
use Illuminate\Database\Eloquent\SoftDeletes;

use Auth0\Laravel\Contract\Model\Stateless\User as StatelessUser;
use Illuminate\Auth\Authenticatable;
use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableUser;

class User implements StatelessUser, AuthenticatableUser
{
	use HasFactory, Notifiable, SoftDeletes, Authenticatable;

    ...

toby5box · January 14, 2023, 6:26pm

We have abandoned the Auth0 sdk update and in consequence we have abandoned the Laravel 9 update.

I believe this example is non functional: laravel-auth0/EXAMPLES.md at main · auth0/laravel-auth0 · GitHub - in addition there are some minor errors in it.

I might have more confidence if it were expanded into a complete, tested application example.

konrad.sopala · January 16, 2023, 7:39am

Hey there!

So sorry for the inconvenience! Will try to get the help from the SDK maintainers. I’m gonna contact you shortly!

toby5box · January 20, 2023, 5:35pm

Evan at Auth0 spotted the problem.

The provider class key should be repository not model; the old key was left over from previous config and our testing with multiple user models before we found Evan’s CustomUserRepository example.

In auth.php the config should look like this:

    'providers' => [
      'auth0' => [
        'driver' => 'auth0',
        'repository' => App\Auth\CustomUserRepository::class
      ],
    ],

Thankyou Evan!

konrad.sopala · January 25, 2023, 5:42am

Thanks for sharing it with the rest of community!

system · February 8, 2023, 5:42am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.