I am working on a Laravel 8 API. I use Auth0 for user registration and login.
I need the user’s id returned by Auth0 to use in my own application.
For this purpose I have the code, I have installed Guzzle with:
composer require guzzlehttp/guzzle:^7.0
In routes\api.php I have the following:
// Protected routes
Route::group(['middleware' => ['jwt']], function () {
Route::get('/user', [UserController::class, 'getUserId']);
});
In the AuthController I have:
class AuthController extends Controller {
protected $appDomain;
protected $appClientId;
protected $appClientSecret;
protected $appAudience;
protected function authorization(){
$this->appDomain = 'https://' . config('laravel-auth0.domain');
$this->appClientId = config('laravel-auth0.client_id');
$this->appClientSecret = config('laravel-auth0.client_secret');
$this->appAudience = config('laravel-auth0.api_identifier');
$client = new \GuzzleHttp\Client;
try {
$client = new \GuzzleHttp\Client();
$response = $client->request('POST', $this->appDomain . '/oauth/token', [
'form_params' => [
"client_id" => $this->appClientId,
"client_secret" => $this->appClientSecret,
"audience" => $this->appAudience,
"grant_type" => "client_credentials"
]
]);
$response = json_decode($response->getBody());
}
catch (\GuzzleHttp\Exception\ClientException $e) {
$response = $e->getResponse();
}
return $response;
}
}
In the UserController I have:
class UserController extends AuthController {
// More code
public function getUserId(){
$access_token = parent::authorization()->access_token;
$client = new \GuzzleHttp\Client;
try {
$client = new \GuzzleHttp\Client(['headers' => [
'authorization' => 'Bearer' . $access_token,
'content-type' => 'application/json'
]]);
$response = $client->request('GET', $this->appDomain . '/userinfo');
$response = json_decode($response->getBody());
}
catch (\GuzzleHttp\Exception\ClientException $e) {
$response = $e->getResponse();
}
return $response;
}
// More code
}
The problem
When I access the api/user-profile
route, Potman throws an Unauthorized
response.
This happend despite the fact that the api/authorize
route does
return the token:
{"access_token":"somerandom.longtoken","scope":"read:users update:users delete:users","expires_in":86400,"token_type":"Bearer"}
This is the list of permissions
Question
Where is my mistake?