What prevents the Auth0 authorization in this Laravel 8 API?

Question

I am working on a Laravel 8 API. I use Auth0 for user registration and login.

I need the user's id returned by Auth0 to use in my own application.

For this purpose I have the code:

In routes\api.php :

// Public routes
Route::get('/authorize', [AuthController::class, 'authorize']);

// Protected routes
Route::group(['middleware' => ['jwt']], function () {
  Route::get('/user-profile', [UserController::class, 'getUserId']);
  // More routes
});

In the AuthController :

namespace App\Http\Controllers;
use App\Http\Controllers\AuthController;
// More code

class AuthController extends Controller {
    protected $appDomain;
    protected $appClientId;
    protected $appClientSecret;
    protected $appAudience;
    
    public function authorize(){

        $this->appDomain = 'https://' . config('laravel-auth0.domain');
        $this->appClientId = config('laravel-auth0.client_id');
        $this->appClientSecret = config('laravel-auth0.client_secret');
        $this->appAudience = config('laravel-auth0.api_identifier');

        $curl = curl_init();

        curl_setopt_array($curl, array(
            CURLOPT_URL => "$this->appDomain/oauth/token",
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_ENCODING => "",
            CURLOPT_MAXREDIRS => 10,
            CURLOPT_TIMEOUT => 30,
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_CUSTOMREQUEST => "POST",
            CURLOPT_POSTFIELDS => "{\"client_id\":\"$this->appClientId\",\"client_secret\":\"$this->appClientSecret\",\"audience\":\"$this->appAudience\",\"grant_type\":\"client_credentials\"}",
            CURLOPT_HTTPHEADER => array(
                "content-type: application/json"
            ),
        ));

        $response = curl_exec($curl);
        $err = curl_error($curl);

        curl_close($curl);

        if ($err) {
            return "cURL Error #:" . $err;
        } else {
            return $response;
        }
    }
}

In the UserController :

class UserController extends AuthController {
    // More code
    public function getUserId(){

        // Do authorization
        parent::authorize();

        $curl = curl_init();

        curl_setopt_array($curl, array(
            CURLOPT_URL => "$this->appDomain/userinfo",
            CURLOPT_HTTPHEADER => array(
                "content-type: application/json"
            ),
        ));

        $response = curl_exec($curl);
        $err = curl_error($curl);

        curl_close($curl);

        if ($err) {
            return "cURL Error #:" . $err;
        } else {
            return $response;
        }
    }

    // More code
}

The problem

When I access the /user-profile route, Potman throws an Unauthorized response.

This happend despite the fact that the /authorize route does return the token:

{"access_token":"somerandom.longtoken","scope":"read:users update:users delete:users","expires_in":86400,"token_type":"Bearer"}

Question

Where is my mistake?

UPDATE

Folowing the answer from @IProSoft, in the UserController I have:

public function getUserId(){

    $access_token = parent::authorization()->access_token;

    $client = new \GuzzleHttp\Client;
        try {
                $client = new \GuzzleHttp\Client(['headers' => [
                        'authorization' => 'Bearer' . $access_token,
                        'content-type' => 'application/json'
                ]]);
                
                $response = $client->request('GET', $this->appDomain . '/userinfo');

                $response = json_decode($response->getBody());
        }
        catch (\GuzzleHttp\Exception\ClientException $e) {
                $response = $e->getResponse();
        }

        return  $response;
}

I get this error in Postman:

Error: Class 'Symfony\Bridge\PsrHttpMessage\Factory\HttpFoundationFactory' not found in \vendor\laravel\framework\src\Illuminate\Routing\Router.php 

What causes this error?

Answer 1

This code is only for show You the way, not checked etc.

First thing install and learn Guzzle

composer require guzzlehttp/guzzle:^7.0

In authorize method You can change everything to:

$client = new GuzzleHttp\Client;
try {
    $client = new \GuzzleHttp\Client();
    $response = $client->request('POST', $this->appDomain . '/oauth/token', [
        'form_params' => [
            {
                "client_id":        $this->appClientId,
                "client_secret":    $this->appClientSecret,
                "audience":         $this->appAudience,
                "grant_type":       "client_credentials"
            }
        ]
    ]);

    $response = json_decode($response->getBody());
}
catch (GuzzleHttp\Exception\ClientException $e) {
    $response = $e->getResponse();
}

return $response;

Second: If you want get user id, You must pass Barer token in request

$client = new GuzzleHttp\Client;
try {
    $client = new \GuzzleHttp\Client('headers' => [
        'authorization' => 'Bearer ACCESS_TOKEN'
        'content-type' => 'application/json'
    ]]);
    $response = $client->request('GET', $this->appDomain . '/userinfo');

    $response = json_decode($response->getBody());
}
catch (GuzzleHttp\Exception\ClientException $e) {
    $response = $e->getResponse();
}

You don't have to reinvent the wheel:-) There is a ready library that you could use and all info can be found here: https://auth0.com/docs/quickstart/webapp/laravel/01-login