Auth0 Home Blog Docs

Laravel SDK - Get access token for API

access-token
laravel
#1

Hello,

I have a Laravel web app set up with Auth0 integration, using the laravel-auth0 library. I followed the Quick Start to get a basic login flow working.

Now, however, I need my Laravel app to talk to a back-end API which is also secured with Auth0. I don’t see how to retrieve an access token to use for this. The Auth0Service does expose a getAccessToken() method, but it always returns null.

I stepped through the code and found that the Auth0::exchange() method is being called, but there is no authorization code, so no exchange takes place.

My login code:

return \App::make('auth0')
    ->login(null, null, ['scope' => 'openid profile email name nickname picture updated_at customer:edit customer:read'], 'code');

The last 2 scopes are for the API I am trying to call. I also have an AUTH0_AUDIENCE entry in my .env file.

I also set the options to persist the tokens to true in the laravel-auth0.php config file:

    'persist_access_token' => true,
    'persist_id_token' => true,

Can anyone tell me what I might have missed? Or if I need to get direct access to the underlying SDK objects, what is the cleanest way to go about doing that? Thanks in advance.

#2

Hi @emcintyre.idt911… using the module to talk to an API is something we’ve been discussing internally and in a few places with other customers. Currently, it’s not setup well to do that but we want to get it there.

In the meantime, hopefully I can help you get this figured out. First question: what is talking to the API? Is this a machine-to-machine type thing where the application itself is talking to the API? Or is this a specific user calling the API, like an on-page AJAX call?

#3

Thanks for the response, @josh.cunningham. This would be a standard web app, trying to invoke the API, rather than a user directly calling it. Specifically, we have a public Laravel app, talking to a Java-based API.

#4

In that case, you’re probably looking for a machine-to-machine (M2M) flow. As long as you can keep the credentials safe for the Laravel app, then you can get a token for your Java API that way. This is the same way you would authenticate for the Management API.

The main thing to note about this is that your Laravel app needs to have Advanced > Grant Types > Client Credentials turned on in Auth0 and the Application authorized for that API. After that, just run the M2M flow and you’ll have what you need.

Since you mentioned login, I assume that the Laravel app would be acting on behalf of a user so the control over what that user can do as it pertains to the Java API would need to happen in Laravel. You can also restrict what scopes the Laravel app can get so the Java API is careful about what it hands back.

Let me know if you have any questions about this!

#5

Thanks for that. I was using the “Regular Web App” flow, because the Laravel app does need to act on behalf of the logged-in user. With the M2M flow, how does that work? How do I attach user information to the token? And what is the advantage of M2M over the Regular Web App flow?

#6

M2M just describes the grant/scenario. If you’re calling an API as a web application, then the web application calls as it itself using the credentials needed (client ID and password). User data should not be a part of the token since users are not authenticating for that API. If you need to take an action for a user, that info should be included in the API call (POST body or however your API expects it).