New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot renew tokens, the SDK is not exposed #268
Comments
Hi @chrisk-7777 👋 Sorry for the trouble, but you are correct, we do not directly expose a token renewal method through the Laravel SDK, but as you mentioned the underlying SDK does support it, and we do not provide a means of using the instantiated SDK singleton used by the Laravel SDK itself. The approach you mentioned will work, or instantiating a separate instance of the SDK (although there is potential for race conditions under certain circumstances there.) If you have the option, I would recommend working with the current beta release which addresses this, as that version will be going to general availability next week anyway. |
Thanks for the quick reply @evansims . At least I'm not going crazy! 🙃 Can I quickly ask: Every single auth0 guide I've been through for php/laravel, they don't mention validating the token at all.
I ended up coming to a pattern by digging through the source code in Is it correct to say that the current laravel auth0 lib (6.5) expects that the consuming app to self validate the current token for expiry? And if it throws the app should attempt to renew the token via the options you mention. I guess my concern is that I am misunderstanding something. Validating the token seems like a critical key part of the auth flow but its not mentioned in the guides and it isn't available in the current version of the lib (6.5). Am I overthinking? Is 6.5 doing the token validation in the background and doing the exchange/renew? |
No problem! This stuff is confusing, and I don't blame anyone for having questions! 😆 So, token validation happens within the underlying SDK during the exchange, or in the case of a stateless app, the decoding of the provided token. In Laravel SDK 6 (and therefor Auth0-PHP SDK 7) that's triggered here: https://github.com/auth0/auth0-PHP/blob/e040ce552cb6626557e806bed02e2a8f0666984b/src/Auth0.php#L694 The token expiration claim is checked at the time the token is analyzed; so in stateless applications, this will always be validated and can be trusted to not be expired (it will throw an InvalidToken exception if the claim check fails.) However, in a stateful application (using persistent cookies/sessions), you will want to check if the stored token has expired upon each request. This was not handled in the previous version of the Laravel SDK automatically, and had to be handled by the developer's application logic. This is handled automatically in the to-be released version, v7. |
Ok great, that sounds aligned to my approach, in my case, its a stateful app. Thanks for the extra information there, it makes a lot of sense. Looking forward to v7, sounds like it will do a lot of the heavy lifting - cheers 👍 |
SDK Version
6.5
PHP Version
PHP 8.1
Composer Version
2.x
What happened?
Currently, as far as I can see, its impossible using the laravel-auth0 library to renew tokens.
Primary question
How do I issue a renew token request via laravel-auth0?
Notes:
I’ve gone through all the source code, line by line, trying to figure this out.
The only way I can do it is by modifying the source (obviously not a solution).
In vendor/auth0/login/src/Auth0/Login/Auth0Service.php
If I add the following function, it works.
The alternative would be to construct a new SDK (new Auth0($config)), but I feel like a) that is a lot of duplicated code and is b) fragile making sure the two are in sync.
I also am not confident that would work as the whole provider is wrapped in a singleton, so creating a second seems to break that abstraction.
There is a beta (non production) version of the laravel lib, which does expose the SDK:
https://github.dev/auth0/laravel-auth0/tree/main/src
The beta is general looks like its doing a lot more than 6.5 in general, but can’t be used because its not production ready.
I’m a little surprised people haven’t hit this before? Renewing tokens would be pretty common? Unless I’m missing something painfully obvious…
How can we reproduce this issue?
Try to renew a token with
app('auth0')->renewTokens()
Additional context
No response
The text was updated successfully, but these errors were encountered: