Laravel Auth0未经授权的用户

Question

My application is a single page app using Angular 1.x on the client side and Laravel 5.3 for my server/api. I easily managed to make the Auth0 authentication working on my client side (angular) and it successfully generates a token. Moving to my api (laravel), unfortunately I can't access any routes that is protected by the auth0.jwt middleware even though the Authorization header is present. Its response is a simple text that says Unauthorized user .

I'm using Chrome postman to test out the routes on my api.

I tried to trace down the function that is responsible for the response by checking the vendor\\auth0\\login\\src\\Auth0\\Login\\Middleware\\Auth0JWTMiddleware.php and found out that the CoreException is being thrown.

Here's the handle method of the Auth0JWTMIddleware:

/**
     * @param $request
     * @param \Closure $next
     *
     * @return mixed
     */
    public function handle($request, \Closure $next)
    {
        $auth0 = \App::make('auth0');

        $token = $this->getToken($request);

        if (!$this->validateToken($token)) {
            return \Response::make('Unauthorized user', 401);
        }

        if ($token) {
            try {
                $jwtUser = $auth0->decodeJWT($token);
            } catch (CoreException $e) {
                return \Response::make('Unauthorized user', 401);
            } catch (InvalidTokenException $e) {
                return \Response::make('Unauthorized user', 401);
            }

            // if it does not represent a valid user, return a HTTP 401
            $user = $this->userRepository->getUserByDecodedJWT($jwtUser);

            if (!$user) {
                return \Response::make('Unauthorized user', 401);
            }

            // lets log the user in so it is accessible
            \Auth::login($user);
        }

        // continue the execution
        return $next($request);
    }

My suspect is that the token that generates from Auth0 has newer algorithm or something and the Laravel Auth0 package doesn't already supports it.

I followed exactly the documentation provided by Auth0 and I also cloned their sample projects just to make sure the configurations are correct but unfortunately it doesn't work also. Any thoughts or ideas on how can I solve my issue? Thanks in advance!

Answer 1

I had the same problem. There were 2 things I had to change in order to resolve. Credit to @Kangoo13 for the first suggestion:

1; Check that in your config/laravel-auth0.php file that secret_base64_encoded = false. You will notice in your Auth0 dashboard next to your key it states "The client secret is not base64 encoded"

 'secret_base64_encoded'  => false,

2; in the same config file, Check that 'supported' has the correct spelling. It would appear someone has incorrectly typed "suported", if you've just applied the default config file after running composer then chances are this is wrong!

Looking in JWTVerifier.php it does appear to cater for the misspelled key but it will default to 'HS256', Auth0 guide explicitly states you should be using 'RS256:

 'supported_algs'        => ['RS256'],

Hope that helps!

Answer 2

I read the suported_algs issue above but skim read it and missed the fact you have to correct the spelling for it to work, spent an extra day trying to figure it out before re-reading. Hopefully next person to read it sees this and doesn't miss the spelling issue! Thanks @user1286856