Hi,

From a quick look at the code it seems that the verifyanddecode process doesn't check the exp of the JWT ?

As I mentioned in this issue (over in PHP-JWT), I'm getting this exception triggered a lot when calling $auth0->getUser(). It first happened on my development machine and now on my web host:

Cannot handle token prior to 2016-01-15T14:44:28+1100

It appears to occur when the server's clock is a few seconds behind Auth0's. I resynced my local dev machine's clock and the message went away. I can't do that on a shared web hosting server though. :-(

My thoughts are that the time check should not be so strict that it requires an up-to-the-second time-synchronization.

Simon.

Any reason why logs management api is not covered?
I wish PHP client was on par with Node client.

Hello, i use auth0 api to create new user and get error:
"cURL error 60: SSL certificate problem: self signed certificate in certificate chain (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)",

How can i fix it! thank

Examples use outdated version of auth0-php library

After downloading this seed project, the readme file doesn't specify the path to get all the dependencies needed for the project in order to work properly. The existing text in the readme file in the 'Running this example' section is:

Running the example

In order to run the example you need to have composer and php installed.

You also need to set the ClientSecret, ClientId, Domain and Callback URL for your Auth0 app as environment variables with the following names respectively: AUTH0_CLIENT_SECRET, AUTH0_CLIENT_ID, AUTH0_DOMAIN and AUTH0_CALLBACK_URL.

For that, if you just create a file named .env in the directory and set the values like the following, the app will just work:

# .env file
AUTH0_CLIENT_SECRET=myCoolSecret
AUTH0_CLIENT_ID=myCoolClientId
AUTH0_DOMAIN=yourDomain.auth0.com
AUTH0_CALLBACK_URL=http://your.url/

Once you've set those 4 environment variables, just run the following to get the app started:

composer install
php -S localhost:3000

So I suggest to add the information existing in the tutorial which specify after the instalation of composer, to run the following command:

To install dependencies, run the following

composer require auth0/auth0-php:"~3.0"

Tutorial step 1. Add Needed dependencies

To install dependencies, run the following
composer require auth0/auth0-php:"~1.0"

but a recent release is available
https://github.com/auth0/auth0-PHP/releases

Package guzzle/guzzle is abandoned, you should avoid using it. Use guzzlehttp/guzzle instead.

After a successful log, how to I reveal the values of authParams? I can see the returned url contains the state parameter:

https://mydomain.net/public/login/?code=MKeyK8NNe5dijXW3&state=zRx4w7thku0XAqlN

However, state is encoded... I'm trying to make a callback url to the original location where the user came from.

function signin() {

    lock.show({
        callbackURL: AUTH0_CALLBACK_URL
      , icon: '/app/images/auth0-badge.png'
      , socialBigButtons: true
      , disableResetAction: true

      , authParams: {
        orig_callback_url: getParameterByName('callback_url')
      }

    });

}

this is for testing the channel integration

Relates to vlucas/phpdotenv in api example.

Hi,

Is there a way to fetch the refresh token from the request?

I can see it if I:

        private function exchangeCode(): ...
           var_dump($auth0_response);
           die();

I'd like to store this on the user (backend only) so I can renew their token if their session is about to expire.

As an enhancement, examples need to have logout button.

src/API/Management/Tickets.php

Method createPasswordChangeTicket, the apiClient post header is missing 'application/json', resulting in a invalid body error.

Also, the method should have a default value of null for $new_password, and should only get added to $body if not null, as the new password field is optional in the API.

Related to lines 41 and 42 at basic-webapp project. If i host this project like http://localhost/basic-webapp this files would be included from http://localhost/public/, not from http://localhost/basic-webapp/public/

Dependencies (such as jquery, vlucas/phpdotenv, bootstrap and font-awesome) in basic-webapp project is outdated.

The Auth0\SDK\Auth0JWT does not add custom payload to the generated JWT.

The following lines atAuth0JWT::encode:

<?php
// Auth0\SDK\Auth0JWT
if ($custom_payload) {
    $custom_payload = array_merge($custom_payload, $payload);
}

should be:

<?php
// Auth0\SDK\Auth0JWT
if ($custom_payload) {
    $payload = array_merge($custom_payload, $payload);
}

Is it correct or am I missing something?

The basic webapp example says this AUTH0_CLIENT_SECRET and AUTH0_CLIENT_ID, AUTH0_DOMAIN, AUTH0_CALLBACK_URL.

PHP Fatal error: Class 'Auth0\SDK\API\ApiUsers' not found in vendor/auth0/auth0-php/src/Auth0.php on line 256

using both 1.0 branch and master.

The seed is incomptaible with auth0-php3

PHP Fatal error: Class 'Auth0\SDK\Api\ApiUsers' not
found in ...\Main.php

When no id_token is received after the code exchange, the following error is thrown:

Invalid number of segments

This should be documented and have a better error message (e.g. "Missing JWT after code exchange. See auth0.com/docs/scopes for more details")

Hello,

When I'm trying to install the package I receive this error:

Problem 1
- auth0/auth0-php 1.0.6 requires firebase/php-jwt dev-master -> no matching package found.
- auth0/auth0-php 1.0.5 requires firebase/php-jwt dev-master -> no matching package found.
- auth0/auth0-php 1.0.4 requires firebase/php-jwt dev-master -> no matching package found.
- auth0/auth0-php 1.0.3 requires firebase/php-jwt dev-master -> no matching package found.
- auth0/auth0-php 1.0.2 requires firebase/php-jwt dev-master -> no matching package found.
- auth0/auth0-php 1.0.1 requires firebase/php-jwt dev-master -> no matching package found.
- auth0/auth0-php 1.0.0 requires firebase/php-jwt dev-master -> no matching package found.
- Installation request for auth0/auth0-php ~1.0 -> satisfiable by auth0/auth0-php[1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6].

This seems related with googlearchive/firebase-token-generator-php#15

I'm following the instructions from the quickstart.

I'm testing basic-webapp am seeing the following console errors:

SyntaxError: Unexpected token '<'            10122*****klab.appsgoogleusercontent.com.js:1

it's just not working... any ideas?

When I try to get the user_metadata it will throw a error since the user's meta data is not set by default. #107

$Auth0 = new Auth0\SDK\Auth0(
// options
);
$app['Auth0']->getUserMetadata();

This causes:

ContextErrorException in Oauth2Client.php line 333:
Notice: Undefined index: user_metadata

This can easily be solved by returning a empty array or NULL if no metadata is set.

I noticed the following methods in Auth0.php, but no method to update AppMetadata for the user.

updateUserMetadata($metadata)
getUserMetadata()
getAppMetadata()

Any reason for this? Is there a way to set app metadata in the version on composer?

JWTVerifier is throwing the exception "The client_secret is mandatory when accepting HS256 signed tokens".

This is despite the fact I am initialising it as below for RS256 only.

$validatorConfig=[];
$validatorConfig['guzzle_options']=['curl'=>[\CURLOPT_IPRESOLVE =>\CURL_IPRESOLVE_V4]];
$validatorConfig['suported_algs']=['RS256'];
$validatorConfig['valid_audiences']=['xxxxxxxxxxxxxxxxxxxxxxxxxx'];
$validatorConfig['authorized_iss']=['https://example.eu.auth0.com/'];
$validator=new \Auth0\SDK\JWTVerifier($validatorConfig);
$validator->verifyAndDecode($token);

It appears the namespace of the JWT class from the firebase/php-jwt has changed and therefore the usage in the Auth0 SDK no longer works.

Hi there,

Understandably this might be more of an Auth0 issue rather than the PHP SDK issue, but I'm wondering how we can get the primary users JWT after login?

e.g.

1. User registers using Facebook
2. User signs out
3. User comes back and registers with Google

How do we obtain the token of the Facebook account when the user logs in with a secondary account? We require this token so we can continue to make authenticated API calls to the users initial (primary) account.

In the composer file, it requires PHP 5.3+, I think that's misleading because it's not going to run under 5.3 due to at least one dependency, Guzzle.

I have found an issue using custom session storage. I am unable to successfully get a user from Auth0 because the exchangeCode() method is never being called.

I think I have narrowed this down to a combination of line 198 and line 276 in the Auth0.php file.

Line 198:

$this->user = $this->store->get("user");

When a key is returned from my session storage and there was nothing stored against that key, I get the value null. This is then assigned to $this->user.

On line 276 the following check is made:

if ($this->user === false) {
        $this->exchangeCode();
}

Seeing as the user variable is set to null and not false this method is never called and I get returned false for my user.

I have resolved this by changing the check to:

if (!$this->user) {
        $this->exchangeCode();
}

Which is allowing me to get the user.

Hello,

The current library is using an old version of the firebase/php-jwt library, which is now out of date. Can you update your software to use the current version (v3.0)?

Here is output from composer that shows the problem when I try to include the "firebase/php-jwt":"~3.0":

$ ./composer.phar update
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

Problem 1
- Installation request for auth0/auth0-php ~2.0 -> satisfiable by auth0/auth0-php[2.0.0].
- auth0/auth0-php 2.0.0 requires firebase/php-jwt ~2.2 -> no matching package found.

Potential causes:

• A typo in the package name
• The package is not available in a stable-enough version according to your minimum-stability setting
  see https://groups.google.com/d/topic/composer-dev/_g3ASeIFlrc/discussion for more details.

Read https://getcomposer.org/doc/articles/troubleshooting.md for further common problems.

Does this SDK support making calls to /tokeninfo with a user's JWT token?

I can't find support for either of the User profile endpoints in this SDK

Would be helpful to show the full response/status from Auth0 here: https://github.com/auth0/auth0-PHP/blob/master/src/Auth0.php#L246-L248. If there's a misconfiguration such as wrong client secret, redirect URI, etc. retrying the login won't help.

Looks like someone was working on RS256 signing, and didn't get around to finish it. :P

• A self method is called here, but the method does not exist. It appears to be deprecated, in favor it Auth0\SDK\Helpers\JWKFetcher@fetchKeys().
• There's an added slash here

The application I'm working on is using several packages using guzzle 6, which means I cannot require this package.

Hi,
We're trying to build a small management admin dashboard for our Auth0 setup, and we want to give rights to our admins in this app to create new users and update existing user data.

We've generated the token in the API v2 section, but it's not clear on how to use this token with the Auth0 PHP SDK class.

Could you share some insight on the correct way to use this?

Thanks in advance.

Basic web app and some of the other examples in this repositories are using outdated versions of lock

For newcomers, it would be helpful to see the updated example for auth0/lock. Documentation states Auth0Widget is now deprecated in place of Lock.

This example project is currently using the deprecated module.

I receive this error when testing the seed project of PHP on Windows 7. Other people have received it aswell https://ask.auth0.com/t/error-logging-in-with-php-web-app-tutorial/1118/2 and https://ask.auth0.com/t/getting-error-some-time-while-login-or-creating-account-in-auth0/1399

See c203d45

When I make the following call for creating a User URL

$url = $this->generateUrl('api', '/users');

it returns https://company.auth0.com/apiusers

The problem seems to be the '/' removing part of this function

final protected function generateUrl($domain_key, $path = '/') 
{
    $base_domain = self::$URL_MAP[$domain_key];
    $base_domain = str_replace('{domain}', $this->domain, $base_domain);

    if ($path[0] === '/') {
        $path = substr($path, 1);
    }

    return $base_domain.$path;
}

There's two easy ways to fix this issue:

1. Remove the if ($path[0] ==='/') {...etc lines from the function OR
2. In $URL_MAP add a '/' character to the end of each url. So turn

public static $URL_MAP = array( 'api' => 'https://{domain}/api', 'authorize' => 'https://{domain}/authorize', 'token' => 'https://{domain}/oauth/token', 'user_info' => 'https://{domain}/userinfo', );

into

public static $URL_MAP = array( 'api' => 'https://{domain}/api/', 'authorize' => 'https://{domain}/authorize/', 'token' => 'https://{domain}/oauth/token/', 'user_info' => 'https://{domain}/userinfo/', );

There is no easy way to specify GuzzleHttp config options, e.g. proxy server to be used.

The basic webapp example uses getUserInfo which according to the documentation is deprecated and should be updated to getUser

Hi,

Please can you add a way to enable "CURL_IPRESOLVE_V4" as a custom cURL option in Guzzle ? (http://docs.guzzlephp.org/en/latest/faq.html#how-can-i-add-custom-curl-options)

Calling auth0 on my system takes an eternity, and the correct way to solve this is setting CURL_IPRESOLVE_V4 in PHP cURL.

Hi,

I've seen that in your dependencies list you have them defined as:

"require": {
    "php": ">=5.3.0",
    "guzzlehttp/guzzle": "~5.0",
    "ext-json": "*",
    "adoy/oauth2": "dev-master",
    "firebase/php-jwt" : "~2.2"
  },

The "adoy/oauth2" component has stable version 1.2.0: https://packagist.org/packages/adoy/oauth2

Is it there any reason to use the "dev-master" instead the stable version?

As you may know rely on development dependencies makes your software so fragile and it can break at any time after a "composer update" execution.

My suggestion is to update this component version to: "adoy/oauth2": "~1.2"

Regards,

Following only the tutorial in the step 2 I get the error
Fatal error: Class 'Auth0\SDK\Auth0' not found

The tutorial should have before the include of the class file.

I've a question about authorize_with_ro in Auth0AuthApi.

Surely the device parameter should be outside of "if ($id_token !== null)" ?

I don't see what purpose $id_token fulfills ? Also, testing with https://auth0.com/docs/api/authentication#!#post--oauth-ro, the id_toke parameter is not required when using offline_access and device.