Passing accessToken from frontend to PHP API

[baj84]

Hey,

I've been trying to get authentication working (described below) in my laravel application, following these two tutorials:
https://auth0.com/docs/quickstart/webapp/laravel/01-login
https://auth0.com/docs/quickstart/backend/laravel/01-authorization

On the frontend (angular app):

1. User clicks log in button and taken to auth0 login page
2. The user logs in and is redirected back to the callback with the accessToken
3. The access token is stored on the frontend and passed to Laravel API each request.

On the backend:

1. User makes a request to my http://localhost/api/route passing the accessToken in the authorisation header
2. Laravel validates the user is logged in and valid.
3. Laravel allows access to that route

It works to an extend, but when I try to use postman to access the protected route by passing the accessToken I get the error:

"message": "We can't trust on a token issued by: https://myprojectname.au.auth0.com/."

Is my workflow correct? What am I missing?

Thanks!

[joshcanhelp]

@baj84 - That means that the token to requested is not the token you're getting. The audience or aud on the token is not validating. Maybe you requested https://myprojectname.au.auth0.com/userinfo (which is correct) but you're trying to validate with https://myprojectname.au.auth0.com/ ?

[baj84]

Thanks! I fixed the issue by adding the audience parameter.

public function login()
    {
        return \App::make('auth0')->login(null, null, ['scope' => 'openid profile email', 'audience' => config('laravel-auth0.audience')], 'code');
    }

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.