Hello, Community!
I am currently in the process of migrating from Keycloak to Auth0 for managing authentication in my closed-source projects. . I’m aiming to solve an issue related to this migration and your insights would be greatly appreciated. Once resolved, updates to the code and instructions will be shared in my open-source project repositories.
- Backend (Laravel): Laravel Template Repo
- Frontend (with Auth0 support): Next.js Starter Template
Project Description:
- I’m building a stateless Laravel API without sessions, consisting of two endpoints:
/api/public
(for Customers’ SPA) andapi/admin
(for Operations’ SPA). - I intend to rely on the Auth0 SDK for authentication, foregoing Laravel Passport and other Laravel auth implementations.
- The frontend SPAs and Laravel API are designed as separate, independent projects.
- The frontend users (Customers and Operations) authenticate directly on Auth0 to obtain JWT access tokens.
- The frontend apps retain these access tokens and make requests to the Laravel API.
Customers Flow:
- Customers authenticate on Auth0 via email or social providers. The Auth0 database
customers-authentication
is used here. - Upon authentication, the customer obtains a JWT token.
- This token is used for accessing protected Laravel API endpoints.
- Auth0 Guard within Laravel API processes the token, verifying its signature, structure, expiry time, and resource access permission.
- If the token is verified, the Laravel API searches for the user in the database via the auth0_id. If the user doesn’t exist, a new entry is created using the access token data.
- A response is then returned to the frontend application.
Operations Flow:
- Similar to the Customer flow, except Operations users authenticate on Auth0 without registration. Only existing Auth0 dashboard users can be added. The Auth0 database
operations-authentication
is used, which is separate fromcustomers-authentication
. Sign Up is disabled for this database.
Rules:
- Operations users can only log in to the Operations application.
- Customers users can only log in to the Customers application.
Questions:
- How can I tie the Customers Application with the Customers API effectively?
- What’s the best way to link the Operations Application with the Operations API?
- Is it feasible to use the accessToken returned by the frontend (Separate Project) for making requests to my Laravel API?
- As the accessToken doesn’t include data such as email, how can I register users? Two potential options I see are:
- Adding the email to the accessToken before sending it to the backend API application
- Utilizing the Management API to retrieve client details on receiving a request from the frontend, and then creating the user in my Laravel API database
- What’s the recommended way to integrate the Management API and which applications should have access to it?
- How to correctly get API management token on Laravel API side? Can I use api-explorer token for this?
Here is my current keycloak flow:
Here is how I configured Auth0:
Applications and Databases:
APIs:
I have checked tons of Auth0 examples in various articles and also github, none of them shows full cycle implementation for stateless API