PHP SDK Initialization - sessionStorage

auth0man · September 12, 2022, 4:44pm

Which SDK this is regarding: PHP
SDK Version: 8.2.1
Platform Version: Ubuntu 20.04.5 LTS

I don’t understand the SDK configuration process for using PHP session storage.

$sessionStorage        StoreInterface|null            Defaults to use cookies. A StoreInterface-compatible class for storing Token state.

In order to use PHP sessions I need to supply an instance of Auth0\SDK\Store\SessionStore when creating a SdkConfiguration instance. According to the readme this is the preferred way of doing it:

When configuring the SDK, you can instantiate SdkConfiguration and pass options as named arguments in PHP 8 (strongly recommended)

So my code needs to look like this:

$configuration = new SdkConfiguration(
    // The values below are found in the Auth0 dashboard, under application settings:
    domain: '{{YOUR_TENANT}}.auth0.com',
    clientId: '{{YOUR_APPLICATION_CLIENT_ID}}',
    sessionStorage : $mySessionStoreInstance
);

In order to create a sessionStore instance I need to supply a SdkConfiguration instance:

$mySessionStoreInstance = new SdkConfiguration(
     domain: '{{YOUR_TENANT}}.auth0.com',
    clientId: '{{YOUR_APPLICATION_CLIENT_ID}}',
);

Supplying the same parameters again seems strange and pointless - but when I do it the SdkConfiguration constructor throws an exception : \Auth0\SDK\Exception\ConfigurationException::requiresCookieSecret()
because no cookie secret has been passed in the configuration options.

Well - the whole point of using sessionStore was to not use cookies!

I can structure the code like this:

    $params = [
        domain: '{{YOUR_TENANT}}.auth0.com',
        clientId: '{{YOUR_APPLICATION_CLIENT_ID}}',
        cookieSecret: '{{MY_COOKIE_SCERET}}'
        ];

        $sessionStore = new SessionStore( new SdkConfiguration($params) );
        $params['sessionStorage'] = $sessionStore;

        return new Auth0( new SdkConfiguration($params) );

So, I’m creating a config in order to create a sessionStore instance which I then need to add back into the config parameters in order to finally configure the SDK.

And I still need to supply a cookieSecret in order not to use cookies!
And I don’t get to use any nice named parameters!

Is there a better way of coding this - one that uses named parameters?

shunsuke.tsutsui · October 14, 2022, 5:50am

You can write as follows so that no need to create SdkConfiguration twice.

        $this->configuration = new SdkConfiguration([
            'domain' => $env['AUTH0_DOMAIN'] ?? null,
            'customDomain' => $env['AUTH0_CUSTOM_DOMAIN'] ?? null,
            'clientId' => $env['AUTH0_CLIENT_ID'] ?? null,
            'clientSecret' => $env['AUTH0_CLIENT_SECRET'] ?? null,
            'cookieSecret' => $env['AUTH0_COOKIE_SECRET'] ?? null,
            'cookieExpires' => (int) ($env['AUTH0_COOKIE_EXPIRES'] ?? 60 * 60 * 24),
            'audience' => ($env['AUTH0_AUDIENCE'] ?? null) !== null ? [trim($env['AUTH0_AUDIENCE'])] : null,
            'organization' => ($env['AUTH0_ORGANIZATION'] ?? null) !== null ? [trim($env['AUTH0_ORGANIZATION'])] : null,
        ]);
        $sessionStore = new SessionStore($this->configuration);
        $this->configuration->setSessionStorage($sessionStore);

And I still need to supply a cookieSecret in order not to use cookies!

Whether it’s good or bad, the SDK uses CookieStore as default. so that’s why.

github.com

auth0/auth0-PHP/blob/21abc9550442a45ee9245b2581d7dd8e60977a18/src/Configuration/SdkConfiguration.php#L425-L434


      
          private function setupStateStorage(): void
          {
              if (! $this->getSessionStorage() instanceof StoreInterface) {
                  $this->setSessionStorage(new CookieStore($this, $this->getSessionStorageId()));
              }
          
              if (! $this->getTransientStorage() instanceof StoreInterface) {
                  $this->setTransientStorage(new CookieStore($this, $this->getTransientStorageId()));
              }
          }