Okay, to explain what I want to achieve first. To learn auth0, I’m setting up:
- A laravel web application that will hold a catalog of - lets say - football teams. (FootballTeamController that handles FootballTeam resource (with the eloquent orm)
- I need api routes in the same laravel application, to be able to access the same catalog from a total different application (or if I want to rebuild the front end to be JS based application with ajax calls).
- Auth0 to handle users and permissions (create:footballteam, read:footballteam, etc.)
I’ve been reading up and followed several tutorials / articles, and managed to get the api routes to work with permissions/scopes through the CheckJWT middleware suggested here; https://auth0.com/docs/quickstart/backend/laravel/01-authorization - but that is when I’m requesting tokens through the client_credentials grant type on a machine to machine application.
My problem is - I want to achieve the same with my web routes. I’ve been able to authenticate the users following this tutorial; https://auth0.com/blog/build-a-laravel-6-app-with-authentication/#Adding-Authentication-to-Your-Laravel-6-0-Application - but I cannot find a way to check scopes/permissions for the users for my api (the api created in the auth0 dashboard). I really just want to make sure not everyone can create football teams in my catalog
So, I would appreciate if someone could point me in the right direction. Articles, tutorials, anything that could help me understand this better… I’m just stuck atm.
And if you think I could have used a better approach/flow - let me know! I want to get this right