auth0 / laravel-auth0 Goto Github PK

Is there a (good) reason why the response body from the API request is converted into an associative array? (true parameter in the return json_decode($body, true); here

When using the Laravel Auth0JWTMiddleware to decode a JWT token into a user, the body is not converted.

This causes issues because you now have to check if the app_metadata and its data is an array or an object.

For consistency reasons I think it would be good to either not convert it to an associative array in the SDK, or do convert it as well in the Auth0UserRepository.

I am try to install this package with composer, but i am get this error:

Your requirements could not be resolved to an installable set of packages.

Problem 1
- Conclusion: don't install auth0/login 5.0.1
- Conclusion: remove guzzlehttp/guzzle 5.3.1
- Installation request for auth0/login ~5.0 -> satisfiable by auth0/login[5.0.0, 5.0.1].
- Conclusion: don't install guzzlehttp/guzzle 5.3.1
- auth0/login 5.0.0 requires auth0/auth0-php ^5.0.0 -> satisfiable by auth0/auth0-php[5.0.0, 5.0.1, 5.0.2, 5.0.3].
- auth0/auth0-php 5.0.0 requires guzzlehttp/guzzle ~6.0 -> satisfiable by guzzlehttp/guzzle[6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3].
- auth0/auth0-php 5.0.1 requires guzzlehttp/guzzle ~6.0 -> satisfiable by guzzlehttp/guzzle[6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3].
- auth0/auth0-php 5.0.2 requires guzzlehttp/guzzle ~6.0 -> satisfiable by guzzlehttp/guzzle[6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3].
- auth0/auth0-php 5.0.3 requires guzzlehttp/guzzle ~6.0 -> satisfiable by guzzlehttp/guzzle[6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3].
- Can only install one of: guzzlehttp/guzzle[6.0.0, 5.3.1].
- Can only install one of: guzzlehttp/guzzle[6.0.1, 5.3.1].
- Can only install one of: guzzlehttp/guzzle[6.0.2, 5.3.1].
- Can only install one of: guzzlehttp/guzzle[6.1.0, 5.3.1].
- Can only install one of: guzzlehttp/guzzle[6.1.1, 5.3.1].
- Can only install one of: guzzlehttp/guzzle[6.2.0, 5.3.1].
- Can only install one of: guzzlehttp/guzzle[6.2.1, 5.3.1].
- Can only install one of: guzzlehttp/guzzle[6.2.2, 5.3.1].
- Can only install one of: guzzlehttp/guzzle[6.2.3, 5.3.1].
- Installation request for guzzlehttp/guzzle (locked at 5.3.1) -> satisfiable by guzzlehttp/guzzle[5.3.1].

Installation failed, reverting ./composer.json to its original content.

How i can resolve this?

Is there an easy way to change the user identifier from "sub" to something more descriptive like "auth0id"? I haven't been able to figure it out.

ErrorException in Auth0.php line 244:
Illegal string offset 'error'

HandleExceptions->handleError('2', 'Illegal string offset 'error'', 'vendor/auth0/auth0-php/src/Auth0.php', '244', array('code' => '**_', 'auth_url' => 'https://_.auth0.com/oauth/token/', 'response' => array('result' => 'Unauthorized', 'code' => '401', 'content_type' => false), 'auth0_response' => 'Unauthorized'))

on /auth0/callback

I need a way to logout my users from auth0 within my Laravel application.

Would it make sense to create a logout route in this package that flushes the session?

When you do php artisan vendor:publish the key suported_algs should be supported_algs

in the package, config name suported_algs is not valid, but in this repo config name is correct. Please change it on "supported algs".

vendor/auth0/login/src/config/config.php
<?php 
return array(
    /*
    |--------------------------------------------------------------------------
    |   Supported algs by your API
    |--------------------------------------------------------------------------
    |   Algs supported by your API
    |
    */
    // 'suported_algs'        => ['HS256'],
);

Currently the package is requiring "auth0/auth0-php": "~1.0" which requires "guzzlehttp/guzzle": "~5.0".

I'm already using "guzzlehttp/guzzle": "^6.1" in my app and I can't/won't revert to 5.0 to use this Laravel package. Can we change the dependency?

Description

It is defined here that Auth0Service should be (or expected to be) a singleton. But in here, Auth0UserProvider is being created with a dependency from Auth0Service which is injected via its constructor, which makes another instance of Auth0Service.

Sample Scenario

For instance, I want to have a customer UserRepository that would get the id_token from Auth0Service

// Auth0Controller@callback

// Get a handle of the Auth0 service (we don't know if it has an alias)
$service = \App::make('auth0');           // <------- Get the singleton instance
// Try to get the user information
$profile = $service->getUser();          // <-------- exchange() is called here and uses the code param

// Get the user related to the profile
$auth0User = $this->userRepository->getUserByUserInfo($profile);

On my UserRepository

// Laravel creates a new instance
public function __construct(Auth0Service $auth0Service){
  $this->service = $auth0Service;
}

public function getUserByUserInfo($userInfo) {
  $idToken = $this->service->getIdToken(); // <------ exchange() is called again on the new instance but the code is already used
}

Possible Solution

// LoginServiceProvider@register
// Bind the auth0 name to a singleton instance of the Auth0 Service
$this->app->singleton(Auth0Service::class, function () {
      return new Auth0Service();
});
$this->app->singleton('auth0', function () {
      return $this->app->make(Auth0Service::class);
});

I noticed that if I change the Authorisation Bearer Token to some garbage value, it throws a 500 (internal server error), instead of returning a 401 Unauthorized error, indicating that "The request has not been applied because it lacks valid authentication credentials for the target resource."

Reference: https://httpstatuses.com/401

Example use outdated version of laravel and auth0/login. Outdated auth0/login depends on outdated version auth0/auth0-php which raise error:

[deleted]

As you can see at screencast, after login with Twitter, it simply does nothing. I've reproduced bug with sample project and with project build using auth0 tutorial.

Before integrating Auth0 into my app, I was able to call

Auth::user()->someFunction();

someFunction() was defined as a public function in my App\User.php. After integrating Auth0, I am no longer able to call these functions:

Call to undefined method Auth0\Login\Auth0User::someFunction()

My question is, what is the best way to still utilize these user model functions? I am using customUserRepository.php as outlined in the laravel quickstart guide.

This may need to be updated as auth0 have changed how they authenticate APIs. APIs no longer are clients but their own separate entity, so the need for a client ID and client secret isn't there any more.

Given the changes on the auth0 side, it can be pretty confusing to implement as it stands.

I'm not sure if there is a convention/coding style for this project, but generally it would be a good idea to move all properties to the top. This is a convention, albeit not explicitly a PSR-2 (http://www.php-fig.org/psr/psr-2/) one. I can see they are interspersed throughout the Auth0Service file.

I can fix these and submit a pull request.

Do you plan on supporting Laravel 5? If so, how soon?

I think the biggest change would be converting the filters into middleware.

I've found that I am having to handle Auth0 user data and my database models separately which isn't very convenient. Using Eloquent's User::firstOrNew() isn't possible using Auth0User, but if decide to extend my user object from the default Eloquent object, I lose access to the added Auth0 data, I'd love to have peanut butter and chocolate 😄

While app authentication works great, in the webapp example navigating to the existing route /api/user throws various errors:

Invalid state
Auth0\SDK\Exception\CoreException 
…/vendor/auth0/auth0-php/src/Auth0.php line 512

and

Can't initialize a new session while there is one active session already
Auth0\SDK\Exception\CoreException 
…/vendor/auth0/auth0-php/src/Auth0.php line 516

I seem to be encountering a similar behavior (error claiming I am unauthorized when I'm in fact logged in) in my own app when viewing /api/test (protected only with "auth" or "auth:api" middleware). Would be great to get this working...

Example use lock v9, outdated version of lock. Also laravel and auth0/login is outdated (composer.json)

Installing this package installs [email protected].

This is causing an exception to be thrown that stems from the LoginServiceProvider:

[2018-10-31 22:21:05] local.ERROR: Undefined index: environment {"exception":"[object] (ErrorException(code: 0): Undefined index: environment at /var/www/vendor/auth0/auth0-php/src/API/Helpers/InformationHeaders.php:128)"} []
[2018-10-31 22:21:05] local.ERROR: Undefined index: environment {"exception":"[object] (ErrorException(code: 0): Undefined index: environment at /var/www/vendor/auth0/auth0-php/src/API/Helpers/InformationHeaders.php:128)"} []

In InformationHeaders.php line 128:

  Undefined index: environment

I've traced it down to the InformationHeaders::Extend function that looks to fill the headers in with the old headers environment field.

It gets the old headers from the auth0 ApiClient getInfoHeadersData.
This change to ApiClient no longer sets an environment field, however.

One suggestion would be to change the composer.json to:

   "require": {
        "auth0/auth0-php": "=>5.1 <5.3.1",
},

I can also raise this issue on the auth0-php package as the update to the ApiClient has broken the InformationHeaders@Extend function (which is slated for depracation).

Basically:

Route::get('/api/protected', array('middleware' => 'auth0.jwt', function() {
    echo json_encode(Auth::check())."\n";
    echo json_encode(Auth0::jwtUser())."\n";

    echo json_encode(Auth0::getUser())."\n";
}));

returns

true
{"iss":"https:\/\/***.eu.auth0.com\/","sub":"***","aud":"***","exp":***,"iat":***}
null

with

Authorization: Bearer e****

I´m using Laravel 5.5 and"auth0/login": "~5.0". I try to secure my API with Auth0.

Problem: I run into "404 Page not found" after a API call.

I install the plugin with this tutorial direct from auth0. Maybe my configuration is not correct especially the redirect url. This is my currently configuration

domain: geezee.eu.auth0.com
client_id: ***
client_secret: ***
redirect_uri: http://myurl.de/auth0/callback
api_identifier: http://www.myurl.de/api/v1/
suported_algs: ['RS256']

I have no route for callback.

If you want to auto-fix the code I would highly recommend using styleci.io (free for open source). Takes the work out of users submitting patches that do not conform to PSR or project specific rules.

Applied changes here as example: https://github.com/lootmarket/laravel-auth0/pull/1/files

how do we increase the session timeout? I have already set the timeout lifetime in config/session.php but it doesn't seem to be working well

Great and straightforward library -- thanks. Q re: callback:

The Auth0Service exposes three functions in support of a callback on login (called by the Auth0Controller). When does an application call onLogin to set up the callback? Do you typically see it in the boot section of the AuthServiceProvider or LoginServiceProvider? I can't come up with a way that doesn't seem like a kludge.

Thank you.

I see you deleted it but there isn't any examples on how to replace it.
Can you help?

This respository's README.md states

The Laravel-specific documentation page https://auth0.com/docs/quickstart/webapp/laravel/01-login ends when you have a simple login set up, not SSO.

While trying to implement single sign on with Auth0 between two sites on two domains, from reading the Silent Login page https://auth0.com/docs/api-auth/tutorials/silent-authentication, I noticed

The standard example login route with this package is

Route::get('/login', function() {
    return \App::make('auth0')->login(null, null, ['scope' => 'openid profile email'], 'code');
});

I have figured out that I can create this, for a silent login route:

Route::get('/login_silent', function() {
    return \App::make('auth0')->login(null, null, ['scope' => 'openid profile email', 'prompt' => 'none'], 'code');
});

After logging in on my first site, navigating to this route on my second site logs me in nicely, by performing the redirect to Auth0, then redirecting back to my second site.

To implement a full single sign-on solution (the user is automatically logged in when browsing to the second site without clicking anything), we need to perform the silent login redirect on their first page load, and then

• If they have logged in on another site configured with single sign on, log them in and redirect back

• If they are not already logged in: do nothing and redirect back to the original site, not logged in

I don't see a way to cover the second case with this package; when the user is not logged in yet.

After a login attempt (prompt or silent), Auth0 redirects to this route:

Route::get('/auth0/callback', '\Auth0\Login\Auth0Controller@callback');

Looking at Auth0Controller:

public function callback()
    {
        // Get a handle of the Auth0 service (we don't know if it has an alias)
        $service = \App::make('auth0');

        // Try to get the user information
        $profile = $service->getUser();

        // Get the user related to the profile
        $auth0User = $this->userRepository->getUserByUserInfo($profile);

        if ($auth0User) {
            // If we have a user, we are going to log him in, but if
            // there is an onLogin defined we need to allow the Laravel developer
            // to implement the user as he wants an also let him store it.
            if ($service->hasOnLogin()) {
                $user = $service->callOnLogin($auth0User);
            } else {
                // If not, the user will be fine
                $user = $auth0User;
            }
            \Auth::login($user, $service->rememberUser());
        }

        return \Redirect::intended('/');
    }

According to https://auth0.com/docs/api-auth/tutorials/silent-authentication:

The errors (or state of $auth0User) we need are lost after this redirect at the end of the Auth0Controller callback() function.

I thought about trying this:

Route::get('/', function() {
    if(!Auth::check()) {
        return \App::make('auth0')->login(null, null, ['scope' => 'openid profile email', 'prompt' => 'none'], 'code');
    }

    return view('home');
});

But if the user isn't logged in, we are then in an endless redirect loop, sending the user to Auth0 trying to log in.

What we are looking for is something like this:

Route::get('/', function() {
    if(!Auth::check()) {
        if (!$we_have_been_redirected_back_from_auth0_and_failed_to_login)
            return \App::make('auth0')->login(null, null, ['scope' => 'openid profile email', 'prompt' => 'none'], 'code');
        }
    }

    return view('home');
});

The block above return view('home'); could be encapsulated into a nice SSO middleware.

I don't see a way to achieve this without editing the package or implementing my own solution using Auth0's RESTful APIs directly.

The readme specifies that the name/email scope should be requested for a user, and indeed that should be a value that should be configurable but there doesn't seem to be a spot to do this. The default scope is 'openid'. Adding 'scope' as an array value in the auth0 config file doesn't seem to work.

Hi there,

The API documentation link is updated to: https://auth0.com/docs/quickstart/backend/laravel

I've tried to run laravel-api sample and got this:

Just a suggestion: remove laravel- on the config filename. It feels redundant. Laravel config mostly named after the service only without the laravel- prefix. Besides auth0.php seems pretty unique already.

It does not have any benefits aside from the aesthetics but will have an impact on backward compatibility, that I'm aware. Just voicing out here.

Cheers!

The recently tagged 2.2.2 release is not based on the 2.x.x-dev branch but on master and breaks on Laravel 5.1 applications.

By default the JWTVerifier uses only HS256 unless overridden by the arguments provided in Auth0Service.

RS256 is now the default when creating an API in the Auth0 Interface and the quickstart documentation does not mention the need to use HS256.

To rectify this I propose either adding RS256 to the support_algs config, or adding an option to add it in the laravel-auth0 config file.

Pull Request for proposed fix: #63

First, apologies for opening multiple issues here, as I attempt to integrate auth0 into my laravel app. The process has been far from intuitive, but I do believe the end result will be worth it.

I've got user authentication working perfectly in my app (signup, login, logout), and would now like to setup a simple API to retrieve a logged-in user's information stored in my app's database. I've followed the Quickstart Laravel API tutorial to implement the "jwt" middleware on my /api/private/userinfo route:

1. Using postman, retrieve access token via https://*.auth0.com/oauth/token using password grant. Works great!
2. Using postman, request /api/private/userinfo with header "authorization: Bearer *" where * is the access token previously gotten.

I'm stuck on this 2nd step as it always returns:

{
"message": "Token algorithm not supported"
}

The token looks fine, so I'm really not sure what i'm doing wrong - please advise?

I was running fine with 5.3, but since I upgraded, I'm now getting this error when I try to use the auth0.jwt middleware:

BindingResolutionException in Container.php line 804: Target [Auth0\Login\Contract\Auth0UserRepository] is not instantiable while building [\Auth0\Login\Middleware\Auth0JWTMiddleware].

Any ideas on what's up, or a plan to support 5.4?

Hi!

I am trying to get Auth0 to function with Laravel.

I have everything setup so I can initiate a login (username-password & facebook) with Lock. When it returns it authenticates and Auth::check() returns true.

If I try to access a route using the route middleware mentioned in the guide (https://auth0.com/docs/quickstart/webapp/laravel) I get "uauthorized user'.

I can see that if I dump the variables in the Auth0Controller on the callback it has both an access_token and an id_token. But after I redirect away from the callback the access_token and id_token are null.

I am a bit clueless on how I can get both user profile, access_token and id_token after the login. I can't seem to find anything in the docs.

I am running Laravel 5.2 on Laravel Homestead 3.0.1

After login, i've clicked ping button and got this:

Related to #67

We need to check the migration guide and make sure that there is no breaking change: https://laravel.com/docs/5.4/upgrade#container

• Exceptions rename
• Middleware changes
• Session changes, does it impact in the plugin?
• Check if we can add value from Gate and policies (under Authorization section)

We also need to update the docs:

• change bindings
• check if there are any note that needs to be changed
• update version of the quickstart

Example contain readme.md from laravel sample project.

For a while now I am trying to figure out how can I implement redirect after login to previous page, since each time I login now it takes me back to the site root.

Routes file
Route::get('/auth0/callback', 'IndexController@callback')->name('auth0-callback'); Route::get('/register', 'Auth\Auth0IndexController@login')->name('register'); Route::get('/login', ['as' => 'login', 'uses' => 'IndexController@login']); Route::get('/logout', ['as' => 'logout', 'uses' => 'IndexController@logout']);

IndexController

protected $userRepository;

public function __construct(Auth0UserRepository $userRepository)
{
    $this->userRepository = $userRepository;
}

public function callback()
{
    $service = \App::make('auth0');

    // Try to get the user information
    $profile = $service->getUser();

    // Get the user related to the profile
    $auth0User = $this->userRepository->getUserByUserInfo($profile);

    if ($auth0User) {
        if ($service->hasOnLogin()) {
            $user = $service->callOnLogin($auth0User);
        } else {
            // If not, the user will be fine
            $user = $auth0User;
        }
        \Auth::login($user, $service->rememberUser());
    }

    return \Redirect::intended('/');
}

public function login()
{
return \App::make('auth0')->login(null, null, ['scope' => 'openid email email_verified user_metadata profile'], 'code');
}

public function logout()
{
    \Auth::logout();
    Session::flush();
    return \Redirect::intended(URL::previous());
}

Hello,

I am using this library in conjunction with JWT. By using the currently available middleware, I can limit access to routes to users who have a valid JWT, and this works great. The middleware decodes the JWT based on the Authorization header and logs the user into Laravel if everything is OK.

However, I have some routes for which it is optional whether or not the user is logged in, hence why I cannot make use of the provided middleware. Basically I want the user to be logged in if a valid JWT is provided, and otherwise proceed, even if no JWT is present. Sometimes you just want to access the logged in user if available, without requiring the user to be logged in. I could roll my own logic to parse the Authorization header similar to how the middleware does it, but I kind of want to keep this stuff in the middleware.

As far as I can tell, there is currently nothing in the library that enables this, because access to the user relies on the middleware. Therefore, I am thinking of adding a new middleware that checks if a JWT is provided and logs the user in if it is valid and does nothing otherwise. This would be very similar to how the current middleware works.

I can quite easily go ahead and implement my own middleware and be done with it, but I was thinking that perhaps this could be a nice addition to this library. I was thinking of something like the below.

1. Implement a middleware that logs the user in if a valid JWT is provided. Otherwise it does nothing
2. Refactor the current middleware to return a 401 response if the user is not signed in (remove JWT decoding etc.)

The idea is to refactor the current middleware to have a single responsibility instead of doing more than one thing (decoding JWT + authorization check + logging in). So to have users with a valid JWT signed in, one middleware would be used (probably enabled for most of the application), and to restrict certain routes to signed in users, another one would be used. This does require two middlewares to accomplish the same thing as today, but it seems cleaner to do it this way. Perhaps using a middleware group would mean that the configuration is not more complex than today?

Anyways, the above would kind of break backwards compatibility, so it should probably be done in smaller steps. The "optional" middleware could easily be added without any problems, and when there is an opportunity to break backwards compatibility, the last refactor could be done.

I will have to implement this either way, and I am open to opening a pull request if there is an interest for it. What do you think?

Hi,

Auth0User declares $userInfo and $accessToken as private instead of protected.

This means our child class cannot override these values so we can't get getAuthIdentifier to return a different identifier (our use case being we don't want the locally stored user to have 'sub' as the column name and would prefer something more obvious like 'auth0_id' in the db users table).

e.g.

<?php

namespace Example\Users;

class ExampleUser extends \Auth0\Login\Auth0User
{
    public function getAuthIdentifier()
    {
		return $this->userInfo['auth0_id'];
    }
}

Is this something you can fix?

There are many great tutorials on how to integrate Auth0 with Laravel (mainly using this package) but I can't find any guides on how to integrate with Laravel Spark.

If anyone has some experience with getting it up and running with the Spark User Repository I would be eternally grateful if you could share your knowledge.

same error on fresh install of 5.5 and 00-starter-seed.zip package.

5.5:

starter-seed:

I have verified the login was successful via auth0 dashboard and logs.

Anyone help would be great!

Cheers,
Trav

Is there a way to combine Auth0 Lock with Laravel Auth0?

Auth0 Lock supports responseType=code, and I'm planning to use Laravel Auth0 to handle the callback. Unfortunately, Laravel Auth0 has a stateful approach but there's no exposed function to issue a state token to the blade template.

Maybe changing the private properties and functions of Auth0Service is a good start so we could override and customize its behaviour?

I hope you could help. Thanks.

There are a couple of problems i had with this:

Auth0::onLogin(function($auth0User) {
// See if the user exists
$user = User::where("auth0id", $auth0User->user_id)->first();
if ($user === null) {
// If not, create one
$user = new User();
$user->email = $auth0User->email;
$user->auth0id = $auth0User->user_id;
$user->nickname = $auth0User->nickname;
$user->name = $auth0User->name;
$user->save();
}
return $user;
});

Upon the 2nd user created in thus manner, there is an error because normal laravel user tables have a unique username column.
Creating the 2nd user with the username '' as per above code, causes the problem.
I solved this simply by dropping the username column from the table.
Is that ok? If so you should mention that in the docs.

If have OLD users from BEFORE when you installed the "laravel-auth0" (aka "login") package, where the auth0id = ''.
The above code will log you in as the first user in the database even if you're not logged in because $auth0User->user_id == ''.
Perhaps fix by adding something like
if ($auth0User->user_id != '') { }