auth0 user in symphony

How to Authorize Auth0 User In Symfony 4: A Step-by-Step Guide

Krishna Chaudhary
March 22, 2019 - 5 min read

Authentication and authorization are the cornerstones of online security because they verify the user’s identity, commonly done by entering a username and password, and also ensure that the correct user is accessing the requested information which is often sensitive. But the process of user authentication in frameworks like Symfony  is a bit confusing to set up. However, we now have a Service called Auth0 which simplifies Symfony user authentication process. Hence in this article, I am going to show you step by step How to Authorize Auth0 User In Symfony4. 

Want to jump directly to see how we implemented this? See our own example in github.

Or, see the projects we did with Symfony PHP Framework.

Symfony4

First of all, just in case you didn’t know, Symfony is a php framework for web projects. The most significant aspect of Symfony comes from the fact that it has a lot of reusable PHP component. These components are used throughout PHP land. Tools like WordPress, Drupal, phpBB and Laravel depend on Symfony Framework components a lot. If you are new to Symfony, here you can go through the process of project setup to create symfony web application.

Auth0

Auth0 is a service that provides authentication and authorization. It is an Api that plays a bridge role between users and application. SImilarly Auth0 can connect any applications written in any programming language. It provides the clients with IDs and credentials which we can use in our app. Then it verifies identity of users and sends back the required information to the app when users try to authenticate each time. For further information about Auth0, we can go through the documentation of Auth0 Api.

Why Auth0?

Well, auth0 has several benefits. Some of them are:

  1. Extensibility
  2. Simple Apis
  3. User-Centered
  4. Standard Protocols
  5. Sdks
  6. Analytics
  7. Multi-factor Authentication
  8. Device Agnostic
  9. Scalable and reliable
  10. Single Sign On
  11. Cloud Hybrid
  12. Social Logins

These are just some of the benefits that make your life as a developer certainly much easier. If you want to know more about Auth0 and its benefits, you can get them here.

How to Authorize Auth0 User In Symfony

In this section, we will discuss step-by-step about how to Setup Auth0 Account, Get Access Token & decode it, Access Api Endpoints and prevent the access of Symfony api-endpoints of unauthorized users.   Let’s start with Auth0 Account Setup.

Auth0 Account Setup

First thing first, we have to signup for auth0 account at:

https://auth0.com/signup?&signUpData=%7B%22category%22%3A%22button%22%7D

How to Authorize Auth0 User In Symfony

After signup, we login into the system and create Single Page Application for frontend at Applications/Create Application.

How to Authorize Auth0 User In Symfony

The ClientId and Client Secret of this Single Page Application will be used to get Access Token for authorization api endpoints later.

How to Authorize Auth0 User In Symfony

Now, we need Auth0 Audience(Identifier) to generate Access Token for Single Page Application. In order to get Identifier, we create an Api at Api/Create Api. We get our Identifier at APIs/api_name/Settings.

How to Authorize Auth0 User In Symfony

In order to communicate between Symfony and Auth0, we need ClientID, Client Secret and Auth0 Domain of API Explorer Application.

All these we can get at Applications/API Explorer Application/Settings.

We now define the above keys in symfony application’s .env file.

How to Authorize Auth0 User In Symfony

We now fetch Access Token required to authorize our api endpoints.

Get Access Token

Access Token is a credential that can be used by an application to access Api endpoints. We fetch this token using Auth0 Domain,. ClientID, Client Secret and Audience(Identifier) of Single Page Application using either of below two ways:

  1. Js code snippet. OR
var webAuth = new auth0.WebAuth({
    domain: 'auth0_domain',
    clientID: client_id,
    audience: 'identifier',
    responseType: 'token id_token',
    scope: 'openid profile',
    redirectUri: window.location.href
  });

2. From APIs/api_name/Test

How to Authorize Auth0 User In Symfony

After fetching Access token, we now have to decode the token in order to authorize the api endpoints.

Decode Access Token

First of all inject the Access Token to User Provider to decode it or get user profile. User Provider is a class that decodes the Access Token. To create User provider class, install JWT Authentication Bundle to install the dependencies.

composer require auth0/jwt-auth0-bundle:“~3.0”

User Provider class decodes the token for those users who are assigned with certain roles which will be later used in the route while accessing api endpoints.

We need to configure the User Provider to decode the token at Symfony’s file config/packages/security.yaml under providers key.

security:
   providers:
        a0:
             id:
               a0_user_provider 

The Provider Class under providers key a0_user_provider is used as service.

parameters:

services:
   a0_user_provider:
       class: App\Security\A0UserProvider
       arguments: ["@jwt_auth.auth0_service"]

Finally, to decode the Access Token, we configure framework.yaml under Symfony’s  file config/packages/framework.yaml to check whether the Access Token is issued by authorized issuer or not.

jwt_auth:
   domain: '%env(AUTH0_DOMAIN)%'
   authorized_issuer: https://%env(AUTH0_DOMAIN)%/
   api_identifier: '%env(AUTH0_AUDIENCE)%'

Now that we have fetched and decoded the Access Token, the final step is to access the api endpoints.

Access Api Endpoints

Before accessing the api endpoints, we have to configure the security.yaml file under the key security’s firewall at config/packages/security.yaml for the url pattern /api.

security:
   firewalls:
       secured_area:
             pattern: ^/api
             stateless: true
             simple_preauth:
               authenticator: jwt_auth.jwt_authenticator

Finally, we authorize the api endpoints for url /api/hello using @Route annotation. Annotations are metadata that can be embedded in source code. The role ROLE_AUTH0_AUTHENTICATED for which the Access Token was decoded earlier is now used as @IsGranted annotation.

/**
* @Route("/api/hello", name="hello")
* @IsGranted("ROLE_AUTH0_AUTHENTICATED")
*/
public function hello()
{
   return $this->json([ 'message' => 'Hello World!' ]);
}

The user role ROLE_AUTH0_AUTHENTICATED in which Access Token is assigned can access the above api endpoints otherwise the user is forbidden.

How to Authorize Auth0 User In Symfony

What’s Next?

In this article, we discussed about Authorization and Authentication of Auth0 user in Symfony 4. Likewise in the next article, we will discuss about the use of Auth0 Management Api to create Auth0 user with permissions & scopes and assign roles to them. So stay tuned!

Meanwhile if you have any questions regarding How to authorize Auth0 user in Symfony, do comment below or write to me.

We open source.

If there is one thing that all of us fundamentally believe in then its this: "We should cooperate with others and compete with ourselves". Open source helps us achieve the same plus the culture of innovation and continuous learning.

GitHub