Auth0 Home Blog Docs

Laravel auth0 Invalid authorization code



I’m very new to auth0 and authenticating and facing a problem for two days with authenticating a user to our api. How i understand to get an access token is:

  1. A user click on a sign in button on our app.
  2. The user will be redirected to the auth0 hosted login screen.
  3. When the user has correctly signed in on any social platform or registered account then the user will be redirected to my call back URL.
  4. When the user is on the callback url then the user will receive an access token.

Please correct me if im wrong. Now i left out with a few questions.

Im using laravel with auth0 and used the example files of the page: Auth0 Laravel quicktart. So the login is working but when i vardump the user, i get all the user’s info but my accessToken is null.

But when i save the accessToken in a session on the callback url, the accessToken look like this: tha63vkb0nnbr6vc. Isnt the length way too short for an access token? I don’t understand why i get null when i dump the user but on a callback url it show a short length of string.

Maybe i got it totally wrong and this isnt the access token to use it for my api. On the other note, when i try to receive a token with postman i get an error: "error_description": "Invalid authorization code". My postman look like this: alt text

The code value ive sent is Crk_ri8mKcKX7IcX (the red bordered string in the image).

The code value is the code parameter i took from the redirect url. And my redirect url look like this: Is this the right way to do it? i did exactly how it was indicated in the Auth0 Authorization Code API at the auth0 athorization token api but it still doesnt work.

Maybe i get this error because the user already authorized so i cant do it twice but if so, why is my access token so short and it doenst work?

I’m very new to this so please excuse me if i got it all wrong. Also my post is maybe to long to put my codes in here but my codes is exactly the same as the aformentoined Auth0 Laravel quicktart example

I would really appreciate it if someone can help me ive been struggling for 2 days now.

Thanks alot for taking your time and reading my post!!


The high-level description that you included in the initial part of you post regarding the overall process is correct and at most it may just miss some detail. In relation to your questions, lets take them one by one starting with the easiest ones.

The authorization code is meant to be used only once so if you try to exchange it again through Postman after the application itself already used it then the error you’re obtaining is expected.

The access token you’re receiving, based on it’s length and the fact that it’s an opaque string, means that the access token is suitable to call the /userinfo endpoint. Given this endpoint is under control of Auth0, the same entity that issued the access token then it’s okay to use an opaque access token instead of using a format that allows self-contained validation like for example a JWT.

However, you seem to be wanting an access token to call your own API. In these situation since the entity that issues the token is not the same as the one that consumes it then using a self-contained format may be easier and at this time the access tokens issued to your own API’s will be a JWT. Given you’re not receiving a JWT access token it’s highly likely that when you performed the request you did not express your intentions correctly so that Auth0 knew to issue an access token for your own API.

The way you indicate to Auth0 that the issued access token should be issued for one of your configured API’s is through the use of the audience parameter. You need to include this parameter in the original request or configure a default audience in your account advanced settings; providing the parameter in the request may be the best option as it allows you more control over which requests specify it or not.

From a quick look at the code associated with the sample quickstart you linked there’s an AUTH0_AUDIENCE configuration field that suggests that it can be used as means to specify the target audience of the request. If you haven’t used that, it may be a good starting point.

Finally, for the reason you get a null access token when you vardump the user I honestly don’t know, however, I wanted to provide some clarifications for the other points and given you mention that you can get the access token (although not the one you expect) in a different way, maybe this issue is not blocking.


This question is a little stale, but I might be able to shed some light on the null access token.
I have been having very similar issues, but I did find that I needed to set the right configuration options in the laravel-auth0.php file in order to access the token later:

'persist_user' => true,
'persist_access_token' => true,
'persist_id_token' => true,

The second option is the one that persists the token to the user information. You can get at it with Auth0::getAccessToken() or from the user with Auth::user()->getAuthPassword().