Implementing Auth0 into a Laravel app
This past month or so I've been working with Auth0 - a third-party authentication mechanism for web apps.
Normally, authentication services aren't something I need to bother with. Laravel has a more than capable baked-in authentication system and even more extensive if you're using something like Jetstream.
That said, my client is already using Auth0 for other properties they own and so I had to look at integrating Auth0 into Laravel.
While I needed to use Auth0 for authentication, I still wanted Laravel to handle my user permissions with Spaties Laravel Permission package. That pretty much ruled out using the Auth0's Laravel package because it introduces their own guards and also has its own RBAC implementation.
There's a Laravel Socialite Auth0 provider. This is what I rolled with for the MVP, authentication was handled by Auth0 and then in their callback, I was checking if the Laravel User existed based on the email address, if it did, I'd log that user in or else I'd create the user and then log them in.
This was working well. However we spotted a fairly minor issue in that if we wanted to logout, it directed to Auth0's Universal logout and decided that we didn't want to logout, it would return us back to the application logged out of Laravel but still technically logged into the Auth0 browser session.
My immediate thought here was to introduce an additional logout route, 1 that would handle the redirect to Auth0 Universal Logout and then the second would be the
redirect_uri that handled the logout.
This didn't work though because that
redirect_uri was always the parameter for any action on the Auth0 Universal Logout.
I think that this is something that needs to change in Auth0 fundamentally. If I click
Cancel at that point of Universal Logout, it should just take me back or at least give the option for passing 2 params, a successful logout, a cancelled logout.
Back to drawing board.
After we released the app MVP, Auth0 released a newer version of their PHP SDK.
I've introduced an
and finally a
This approach is certainly much simpler and a little more obvious as to what's going on. Removing Auth0 Universal Logout from the equation seems to make life easier.
I think one of the guys I'm working with summed up Auth0 for me
It’s like the docs think they have an easy to use API, but when you go to do something you have to jump a million hoops.”
Not gonna lie, documentation is hard, so I'm not going to throw Auth0 under the bus for it.
It is telling though that most of the Auth0 examples are for client side apps interacting with an API layer vs more traditional server side apps.
I wouldn't be rushing to throw away my general approach to authentication in Laravel to use Auth0 that's for sure.
This post is as much a note to future me if I ever get another Laravel project that requires Auth0 integration. I hope it helps you if you've stumbled into the 🐇 hole I did.