What prevents the authorization in this Laravel 8 API?

I am working on a Laravel 8 API. I use Auth0 for user registration and login.

I need the user’s id returned by Auth0 to use in my own application.

For this purpose I have the code, I have installed Guzzle with:

  composer require guzzlehttp/guzzle:^7.0

In routes\api.php I have the following:

// Protected routes
Route::group(['middleware' => ['jwt']], function () {
  Route::get('/user', [UserController::class, 'getUserId']);

In the AuthController I have:

class AuthController extends Controller {
	protected $appDomain;
	protected $appClientId;
	protected $appClientSecret;
	protected $appAudience;
	protected function authorization(){

		$this->appDomain = 'https://' . config('laravel-auth0.domain');
		$this->appClientId = config('laravel-auth0.client_id');
		$this->appClientSecret = config('laravel-auth0.client_secret');
		$this->appAudience = config('laravel-auth0.api_identifier');

		$client = new \GuzzleHttp\Client;

		try {
			$client = new \GuzzleHttp\Client();
			$response = $client->request('POST', $this->appDomain . '/oauth/token', [
				'form_params' => [
						"client_id" =>        $this->appClientId,
						"client_secret" =>    $this->appClientSecret,
						"audience" =>         $this->appAudience,
						"grant_type" =>       "client_credentials"
			$response = json_decode($response->getBody());
		catch (\GuzzleHttp\Exception\ClientException $e) {
			$response = $e->getResponse();

		return $response;


In the UserController I have:

class UserController extends AuthController {

	// More code

	public function getUserId(){

	$access_token = parent::authorization()->access_token;

	$client = new \GuzzleHttp\Client;
		try {
				$client = new \GuzzleHttp\Client(['headers' => [
						'authorization' => 'Bearer' . $access_token,
						'content-type' => 'application/json'
				$response = $client->request('GET', $this->appDomain . '/userinfo');

				$response = json_decode($response->getBody());
		catch (\GuzzleHttp\Exception\ClientException $e) {
				$response = $e->getResponse();

		return 	$response;

	// More code

The problem

When I access the api/user-profile route, Potman throws an Unauthorized response.

This happend despite the fact that the api/authorize route does
return the token:

{"access_token":"somerandom.longtoken","scope":"read:users update:users delete:users","expires_in":86400,"token_type":"Bearer"}

This is the list of permissions


Where is my mistake?

Hi @razvanz,

It looks like you may be using the wrong route:

Do you want GET /userinfo?

I want the user’s info from Auth0, more precisely, user_id.

The /user-profile route, is my own route, in Laravel.

But yes, as far as Auth0 is concerned, I want GET /userinfo.

The problem (at least one of them) seems to be that the authorization is not passed onto the UserController controller.

I return $response, which is “Unauthorized”. Using returning $access_token->access_token does output the token. Wich may mean it is not a code issue. I may be doing something wrong in the Auth0 account.

This is the list of permissions

What is missing?

The user’s id should be available in the access token via the sub claim. If you decode the token what do you see? You can decode on jwt.io.