In frontend I use React.
My settings are:
- Permissions of Admin role
- User who has Admin role
- Permissions of the user
- API settings
In React in main component (the whole app is protected) I have:
import { renewSession } from 'components/Auth';
componentDidMount() {
// Check session on server, if there is no active session then redirect to login page
// Code is from your 05-Token-Renewal
renewSession(this.props.dispatch);
}
Auth.js:
const _auth0connection = new auth0.WebAuth({
domain: AUTH_CONFIG.domain,
clientID: AUTH_CONFIG.clientID,
redirectUri: AUTH_CONFIG.callbackUrl,
responseType: 'token id_token',
audience: `audience id`,
scope: 'permissions role openid profile'
});
renewSession(){
_auth0connection.checkSession({}, (err, authResult) => {
if (authResult && authResult.accessToken && authResult.idToken) {
_setSession(authResult, dispatch);
} else if (err) {
console.log(err, "error" );
login(); // which is _auth0connection.authorize()
}
});
}
const _setSession = (authResult) => {
const authInfo = {
clientId: authResult.idTokenPayload.sub,
expiresAt: authResult.expiresAt,
accessToken: authResult.accessToken,
state: authResult.state,
idTokenPayload: {
issuedAt: authResult.idTokenPayload.iat,
expireAt: authResult.idTokenPayload.exp,
updatedAt: authResult.idTokenPayload.updatedAt,
name: authResult.idTokenPayload.name,
nickname: authResult.idTokenPayload.nickname,
picture: authResult.idTokenPayload.picture,
},
permissions: jwt_decode(authResult.accessToken).permissions
};
// Set timer to redux store which call renewSession again after calculated time passed
// ((authResult.expiresIn * 1000) + new Date().getTime())
_scheduleRenewal();
// Dispatch action, set data to redux store
dispatch(setAuthStore(authInfo));
}
After that, I have access token in store.auth.user.accessToken.
Then I copy access token from redux store and using postman send my request to my backend api made with Laravel (I’ve downloaded configured sample from here - Auth0 Laravel API SDK Quickstarts: Authorization).
My route in Laravel api.php:
Route::get('/test', function (Request $request) {
return response()->json([
"message" => "Its working. Laravel."
]);
})->middleware('check.scope:test:test');
As I understand, when I make a request in postman, Laravel should check recieved access token on auth0 server, and if user has permission ‘test:test’ it should accept request and give out “Its working. Laravel.”
But something is not working… Or it’s just me didn’t understand something.