OnLogin callback question

[tomwurzbach]

Great and straightforward library -- thanks. Q re: callback:

The Auth0Service exposes three functions in support of a callback on login (called by the Auth0Controller). When does an application call onLogin to set up the callback? Do you typically see it in the boot section of the AuthServiceProvider or LoginServiceProvider? I can't come up with a way that doesn't seem like a kludge.

Thank you.

[joshcanhelp]

@tomwurzbach - glad it's helpful and thank you for the feedback! Sorry for the delayed response here, I didn't get/see the notification.

I guess my main question is ... is this a part of custom functionality or are you just looking to get up and running? Our quickstart guide walks you through how to get everything wired up and start processing logins.

If you want to do additional processing on login, which it sounds like you do, my inclination is to put that in app/Providers/AuthServiceProvider.php rather than vendor/auth0/login/src/Auth0/Login/LoginServiceProvider.php since anything in the vendor folder will get over-written with an update. You could change config/app.php to point to a custom provider but then you wouldn't be getting any updates made to LoginServiceProvider.php.

I think this could definitely benefit from an example in this repo ... happy to accept a PR if you come up with something you like or will assign it to myself and handle as soon as I'm able.

Thanks!

[jamesmehorter]

I also needed to run some custom code after a user successfully logged in. My solution was to update the Auth0Service instance in the Laravel IoC so that it calls my callback after logging the user in.

I added the following to My Project\App\Providers\AuthServiceProvider.php:boot() but I'm sure it could go elsewhere, and/or call a class/method instead of a closure (this was just my dummy proof-of-concept)

$this->app->extend(\Auth0\LoginAuth0Service::class, function ($service, $app) {
    $service->onLogin(function ($user) {
        print_r($user);
        // add custom logic here
    });

    return $service;
});

This works by defining a callback here: https://github.com/auth0/laravel-auth0/blob/master/src/Auth0/Login/Auth0Service.php#L130 which is then executed here: https://github.com/auth0/laravel-auth0/blob/master/src/controllers/Auth0Controller.php#L45

[jamesmehorter]

FYI, there seems to be a bit of a bug in the Auth0 package around this functionality. I was attempting to extract some additional claims from the user's JWT and store them within the same user object, e.g. RBAC permission claims which could be used by Laravel middleware/SessionGuard::macro().

The onLogin callback allows returning the $user, I would presume this is meant to allow updating the user object which is stored in the SessionGuard. However, the Auth0 service calls the Auth0 SDK's setUser() BEFORE calling the onLogin callback. (see here: https://github.com/auth0/auth0-PHP/blob/master/src/Auth0.php#L580) so if you updated $user in the callback, then later call auth()->user() your updates will not be present.

Just know that the $user in the onLogin callback cannot be updated. This onLogin callback is essentially ONLY an "event" which you can subscribe to.

Ideally the Auth0Service.php:callOnLogin() would be updated to something like:

/**
 * @param $auth0User
 *
 * @return mixed
 */
public function callOnLogin($auth0User)
{
    $user = call_user_func($this->_onLoginCb, $auth0User);
    
    // Store the updated user object
    $this->getSDK()->setUser($user);
    
    return $user;
}

Until that's improved I'm grabbing the RBAC permissions from the access token each time they are needed, e.g.

// define a Auth helper
SessionGuard::macro('getUserPermissions', function () {
    return self::check() ?
        collect(Auth0::decodeJWT(self::user()->getAuthPassword())->permissions ?? []) :
        collect([]);
});

// use the Auth helper in a Gate
Gate::define('some-auth0-permission', function () {
    return Auth::hasUserPermission('some-auth0-permission');
});

// route
Route::middleware('can:some-auth0-permission')
    ->get('/my-route', function () {
        // business logic
    });

[evansims]

Thanks @jamesmehorter! Solid suggestion there, I agree that allowing the user to be updated from the callback makes perfect sense. I'll try to get a PR open to add that yet this week, or if you have a moment to open one before then feel free!