Cannot renew tokens, the SDK is not exposed

[chrisk-7777]

SDK Version

6.5

PHP Version

PHP 8.1

Composer Version

2.x

What happened?

Currently, as far as I can see, its impossible using the laravel-auth0 library to renew tokens.

Primary question
How do I issue a renew token request via laravel-auth0?

Notes:

I can access the refresh token
I have offline_access as a scope, and its enabled in the API
I can login/register
I can access the access token and correctly validate it

I’ve gone through all the source code, line by line, trying to figure this out.

The only way I can do it is by modifying the source (obviously not a solution).

In vendor/auth0/login/src/Auth0/Login/Auth0Service.php
If I add the following function, it works.

    public function renewTokens()
    {
        return $this->getSDK()->renewTokens();
    }

The alternative would be to construct a new SDK (new Auth0($config)), but I feel like a) that is a lot of duplicated code and is b) fragile making sure the two are in sync.
I also am not confident that would work as the whole provider is wrapped in a singleton, so creating a second seems to break that abstraction.

There is a beta (non production) version of the laravel lib, which does expose the SDK:
https://github.dev/auth0/laravel-auth0/tree/main/src

The beta is general looks like its doing a lot more than 6.5 in general, but can’t be used because its not production ready.

I’m a little surprised people haven’t hit this before? Renewing tokens would be pretty common? Unless I’m missing something painfully obvious…

How can we reproduce this issue?

Try to renew a token with app('auth0')->renewTokens()

Additional context

No response

[evansims]

Hi @chrisk-7777 👋 Sorry for the trouble, but you are correct, we do not directly expose a token renewal method through the Laravel SDK, but as you mentioned the underlying SDK does support it, and we do not provide a means of using the instantiated SDK singleton used by the Laravel SDK itself.

The approach you mentioned will work, or instantiating a separate instance of the SDK (although there is potential for race conditions under certain circumstances there.)

If you have the option, I would recommend working with the current beta release which addresses this, as that version will be going to general availability next week anyway.

[chrisk-7777]

Thanks for the quick reply @evansims . At least I'm not going crazy! 🙃

Can I quickly ask:

Every single auth0 guide I've been through for php/laravel, they don't mention validating the token at all.
Tutorials such as:

• https://auth0.com/docs/quickstart/webapp/laravel/01-login
• https://auth0.com/blog/build-a-laravel-6-app-with-authentication/
• etc

I ended up coming to a pattern by digging through the source code in Lcobucci\JWT and looking at the beta version of this lib.

Is it correct to say that the current laravel auth0 lib (6.5) expects that the consuming app to self validate the current token for expiry? And if it throws the app should attempt to renew the token via the options you mention.

I guess my concern is that I am misunderstanding something. Validating the token seems like a critical key part of the auth flow but its not mentioned in the guides and it isn't available in the current version of the lib (6.5). Am I overthinking? Is 6.5 doing the token validation in the background and doing the exchange/renew?

[evansims]

No problem! This stuff is confusing, and I don't blame anyone for having questions! 😆

So, token validation happens within the underlying SDK during the exchange, or in the case of a stateless app, the decoding of the provided token. In Laravel SDK 6 (and therefor Auth0-PHP SDK 7) that's triggered here: https://github.com/auth0/auth0-PHP/blob/e040ce552cb6626557e806bed02e2a8f0666984b/src/Auth0.php#L694

The token expiration claim is checked at the time the token is analyzed; so in stateless applications, this will always be validated and can be trusted to not be expired (it will throw an InvalidToken exception if the claim check fails.)

However, in a stateful application (using persistent cookies/sessions), you will want to check if the stored token has expired upon each request. This was not handled in the previous version of the Laravel SDK automatically, and had to be handled by the developer's application logic. This is handled automatically in the to-be released version, v7.

[chrisk-7777]

Ok great, that sounds aligned to my approach, in my case, its a stateful app.
So as of 6.5 it is expected to be handled by the developers application logic.

Thanks for the extra information there, it makes a lot of sense.

Looking forward to v7, sounds like it will do a lot of the heavy lifting - cheers 👍