API returning "token algorithm not supported" #116
Comments
I'm sorry to hear that but thank you for the honest feedback. Did you have an issue with the quickstarts (web app or backend)? I'd be glad to hear how we can do better getting you and others up and running.
Can you tell me a little more about what you're trying to accomplish here? Is this for external services to retrieve this information? If it's for the user themselves, the Laravel (or PHP) session should suffice to give you what you need.
This means that the ID token you're using has a different algorithm than the verifier was given. What is return array(
// ...
'authorized_issuers' => [ 'https://' . env( 'AUTH0_DOMAIN' ) . '/' ],
'api_identifier' => 'https://quickstarts/api',
'supported_algs' => [ 'RS256' ],
// ...
);I see that some of that is not mentioned in the quickstart and it should be so I'll make sure that's taken care of. Let me know if the above addresses your issue or not. |
|
Hey Josh, thanks for the reply!
This API is meant to be for users themselves (who will be consuming the API through a simple companion desktop app). I also thought that using the "auth" or "auth:api" middlewares might suffice here, but when trying those my postman requests from step 2. above just get kicked to my hosted auth0 login page. So, is using the backend tutorial with password_grant the right approach here? After setting the config options you mentioned above (with api_identifier set to 'https://myname.auth0.com/api/v2/' (same value as the AUTH0_AUDIENCE in my .env), I now receive error:
EDIT: it seems that this is all related to inconsistencies in the /Repositories/CustomUserRepository.php code. If I use the provided code from the backend quickstart, the API actually works as expected! However if I use the code from the Laravel login quickstart, I receive the error above. It seems very strange to me that these quickstarts wouldn't be compatible with one another (one more example of this: one quickstart references 'auth0id', the other 'sub' as user identifier)...definitely frustrating. I'll post both files here for reference and perhaps you're able to combine them into a version that works for both regular login and API request? It would be much appreciated! CustomUserRepository.php_working_for_normal_login_from_login_quickstart.txt |
|
There are definitely some confusing aspects in that API quickstart, I'm seeing more as we discuss this! I'll get that updated ASAP and walk through both of them to make sure they're accurate. In the meantime ... the API quickstart is for machine-to-machine interactions, not specific users who want to consume an API. The access token you get from Auth0 requires having the client secret for your application, something you definitely don't want to be distributing with a desktop application. It's also not tied to a user, it's tied to the "machine" requesting it. The regular web app and API are totally different use cases so while they share the same packages, their use is, more or less, unrelated. So, in your case, if I understand what you're doing correctly, you'll need them to authenticate with your application, then use the cookie they get back to pull the information they need. If you're just in the web app (login with Auth, redirected back to the app, set the session), then you would use the same session check on the API as you would with a page you're serving. In the case of your desktop app, though, you can't share that same browser session with the native application so you'll need to authenticate in the application itself. That's covered in concept here: https://auth0.com/docs/flows/concepts/mobile-login-flow Nothing there will be specific to Laravel, it will need to be done in the native app's platform (we have SDKs for some of those platforms). The user can authenticate with the same credentials but you'll have a separate Application in Auth0 for the native app. If you can use browser-based authentication (I'm not familiar with native app development) then you can take advantage of SSO and not have to authenticate again. When the auth is complete, you'll receive an access token which can be sent to your Laravel app, verified against the Hope this helps! |
|
Josh, thank you for this very insightful writeup - it's definitely cleared up confusion on my end. I see now that separate API auth with JWT wouldn't even be needed in this case, just the regular auth middleware will suffice and the platform-specific auth0 integration will take care of auth. Implementing the "auth" middleware on a simple /api/test API route, I'm receiving {"error":"Unauthenticated."} for some reason, even thought i'm logged into my app on all web routes. Any idea why this could be? |
|
Sorry @joshcanhelp to keep bumping this, but any idea why the API routes only would be unauthenticated? Edit: have opened a separate issue for this: #117. |
First, apologies for opening multiple issues here, as I attempt to integrate auth0 into my laravel app. The process has been far from intuitive, but I do believe the end result will be worth it.
I've got user authentication working perfectly in my app (signup, login, logout), and would now like to setup a simple API to retrieve a logged-in user's information stored in my app's database. I've followed the Quickstart Laravel API tutorial to implement the "jwt" middleware on my /api/private/userinfo route:
I'm stuck on this 2nd step as it always returns:
The token looks fine, so I'm really not sure what i'm doing wrong - please advise?
The text was updated successfully, but these errors were encountered: