Login with SPA and obtain info with Php

I have a Php site and I am using the SPA example with the Universal Login. All works fine. I can login with email and password or with any configured social network

When user login, I got a code and state via GET. My question is this:

How can I use that code/state in Php so I can obtain user info, update info, or something ?

I’m able to do that with the javascript part, but I want it with Php

Currently, when I got the code/state, I use this code GitHub - RiskioFr/oauth2-auth0: Auth0 provider for the OAuth 2.0 Client but it fails with a invalid_grant [error_description] => Invalid authorization code

I’m using this code because the server doesn’t fit the oficial Php code requirements

I have read Auth0 PHP API SDK Quickstart and also GitHub - auth0/auth0-spa-js: Auth0 authentication for Single Page Applications (SPA) with PKCE but can’t obtain that token, just code/state


Following the step 2 in Call Your API Using the Authorization Code Flow (auth0.com) I got an error: code_verifier is required

The same following this code Authentication API Explorer (auth0.com)

Looks like it’s having something to do with Authorization Code Flow with Proof Key for Code Exchange (PKCE) (auth0.com) but don’t know how to remove that and make it work

Hi @isimental,

Welcome to the Auth0 Community!

The auth code is not meant to be shared between your frontend and backend. That is the purpose of the Access Token. Is there a reason why you aren’t using the AT?

Thanks for your reply

After my last upodate, I search and test a lot of things. As I said, I can’t use the SDK because the server doesn’t fit the requirements, so I was thinking in using the API directly

Changed the login link to https://{DOMAIN}/authorize and then I send the retrieved code to https://{DOMAIN}/oauth/token and now I got the access_token

I have strugglin with composer, SDK, grant types, PKCE, code verifier, audience, managment API, machine to machine, native web or PSA, and stuff I don’t remember anymore. Dunno why is there so many options/ways

The next step is get the user info… seems the grant_type must be client_credentials instead of authorization_code, but then I got an error with audience. Will try in a few hours

Hope there is a sample/doc that uses API directly. I’m working with Php and Curl

Btw, is there a way to combine users? Currently Auth0 creates a different user when sigin with different social networks but the email is in fact the same

Another one… Twitter does provides email - GET account/verify_credentials | Docs | Twitter Developer Platform

Let’s take a step back.

Are you building a SPA? Typically, a PHP app would be more like a Regular Web App.

Why can’t you use an SDK? Most of the things you are struggling with here are not Auth0 concepts, but rather, they are parts of the OAuth2.0/OIDC protocol, which Auth0 didn’t create.

One of the benefits of Auth0 is that you don’t have to have a expert understanding of the protocols to implement them. By not using an SDK, you are mostly negating that benefit.

Also, take a look at User Account Linking.

Yep, is a Regular Web App, but when I was looking for examples, all point to the Php SDK, So I tried the SPA and then works, the first step

Can’t use the SDK because the server is a little old and has many projects, so can’t upgrade Php to version 8

I don’t mind using Rest/API, I have used Facebook, Messenger. Whatsapp, Slack, Twittter, Paypal, Apple, Amazon, even Oauth directly a few years ago, and many others. This is one of the first time I have, let’s say, issues with some technology

In fact, I can login/signin users via Social media on my own, but my boss says must use Auth0, mainly to avoid wasting time on updating code everytime a social network change something. Of course, we plan to pay one of the plans

Sorry if I sound rude, I can’t express myself properly because english is not my native language :sweat_smile:

I just looking for help, don’t want somebody to do the work for me. Just a guide on where or what to search

  • Want to login/register - I’m able to do that with /autorize
  • I can obtain the access_token using the /oauth/token
  • Need to obtain name, email, type of login (auth, social)
  • Later, will deal on how to refresh the token and other stuff

I’m thinking on this: If I’m able to login/register a user and got a code/state, why can’t just simply call some Auth0 API to obtain the info? Why do I need to deal with Oauth?

Thanks for any help :+1:t2:

If you are not using a client side app, I would suggest using this flow: Authorization Code Flow.

Okay, that makes sense.

Don’t worry, you don’t sound rude :smile:

This info is available in the ID token or via the /userinfo endpoint (in exchange for the access token).

The ‘code’ and ‘state’ are parts Oauth2/OIDC code flow.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.