What prevents the authorization in this Laravel 8 API?

Help
,
1

I am working on a Laravel 8 API. I use Auth0 for user registration and login.

I need the user’s id returned by Auth0 to use in my own application.

For this purpose I have the code, I have installed Guzzle with:

  composer require guzzlehttp/guzzle:^7.0

In routes\api.php I have the following:

// Protected routes
Route::group(['middleware' => ['jwt']], function () {
  Route::get('/user', [UserController::class, 'getUserId']);
});

In the AuthController I have:

class AuthController extends Controller {
  
	protected $appDomain;
	protected $appClientId;
	protected $appClientSecret;
	protected $appAudience;
	
	protected function authorization(){

		$this->appDomain = 'https://' . config('laravel-auth0.domain');
		$this->appClientId = config('laravel-auth0.client_id');
		$this->appClientSecret = config('laravel-auth0.client_secret');
		$this->appAudience = config('laravel-auth0.api_identifier');

		$client = new \GuzzleHttp\Client;

		try {
			$client = new \GuzzleHttp\Client();
			$response = $client->request('POST', $this->appDomain . '/oauth/token', [
				'form_params' => [
						"client_id" =>        $this->appClientId,
						"client_secret" =>    $this->appClientSecret,
						"audience" =>         $this->appAudience,
						"grant_type" =>       "client_credentials"
				]
			]);
		
			$response = json_decode($response->getBody());
		}
		catch (\GuzzleHttp\Exception\ClientException $e) {
			$response = $e->getResponse();
		}

		return $response;

	}
}

In the UserController I have:

class UserController extends AuthController {

	// More code

	public function getUserId(){

	$access_token = parent::authorization()->access_token;

	$client = new \GuzzleHttp\Client;
		try {
				$client = new \GuzzleHttp\Client(['headers' => [
						'authorization' => 'Bearer' . $access_token,
						'content-type' => 'application/json'
				]]);
				
				$response = $client->request('GET', $this->appDomain . '/userinfo');

				$response = json_decode($response->getBody());
		}
		catch (\GuzzleHttp\Exception\ClientException $e) {
				$response = $e->getResponse();
		}

		return 	$response;
	}

	// More code
}

The problem

When I access the api/user-profile route, Potman throws an Unauthorized response.

This happend despite the fact that the api/authorize route does
return the token:

{"access_token":"somerandom.longtoken","scope":"read:users update:users delete:users","expires_in":86400,"token_type":"Bearer"}

This is the list of permissions

image
image1280×480 36.7 KB

Question

Where is my mistake?

3

Hi @razvanz,

It looks like you may be using the wrong route:

Do you want GET /userinfo?

4

I want the user’s info from Auth0, more precisely, user_id.

The /user-profile route, is my own route, in Laravel.

But yes, as far as Auth0 is concerned, I want GET /userinfo.

The problem (at least one of them) seems to be that the authorization is not passed onto the UserController controller.

I return $response, which is “Unauthorized”. Using returning $access_token->access_token does output the token. Wich may mean it is not a code issue. I may be doing something wrong in the Auth0 account.

This is the list of permissions

image
image1280×480 36.7 KB

What is missing?

5

The user’s id should be available in the access token via the sub claim. If you decode the token what do you see? You can decode on jwt.io.