Laravel SDK for Auth0 Authentication and Management APIs.
MIT License
Bot releases are hidden (Show)
Changed
Published by evansims about 1 year ago
AUTH0_SESSION_STORAGE
and AUTH0_TRANSIENT_STORAGE
now support a cookie
value to enable the native Auth0-PHP SDK cookie session handler. See docs/Cookies.md for more information.auth0_session
entry in the Laravel session store, rather than in multiple keys.Published by evansims about 1 year ago
Published by evansims about 1 year ago
auth0-php
dependency version range to ^8.7
.laravel
package name (previously laravel-auth0
.)AUTH0_
dotenv values could erroneously be interpreted as true configuration values.Note
ยน To use this feature, an Auth0 tenant must have support for it enabled. This feature is not yet available to all tenants.
Published by evansims over 1 year ago
Published by evansims over 1 year ago
Good news, Laravel Artisans! Auth0 is proud to announce the availability of v7.8 of our Laravel SDK! ๐ This is a substantial release that includes features long requested by developers, including fully separate and independently configurable authentication and authorization guards, support for Laravel's auth
and can
middleware, and Laravel's Gates and Policies APIs.
We've made some exciting changes that remove nearly all the boilerplate and setup required to integrate the SDK. Short of configuring your account details, the SDK can now work largely "out of the box," as it will silently register its guards, middleware, and authentication routes. Speaking of configuration โ the SDK can now be configured entirely using the Auth0 CLI!
We've updated our authentication and authorization quickstarts to reflect the simplified setup process. Of course, the updated quickstart code is available here on GitHub, as well.
This release adds support for authenticating using Pushed Authorization Requests.
This release introduces two new Authentication Guards which provide a streamlined integration experience for developers that need to simultaneously support both session-based authentication and token-based endpoint authorization in their Laravel applications.
Guard | Class | Description |
---|---|---|
auth0.authenticator |
Auth0\Laravel\Auth\Guards\AuthenticationGuard |
Session-based authentication. |
auth0.authorizer |
Auth0\Laravel\Auth\Guards\AuthorizationGuard |
Token-based authorization. |
These guards are compatible with Laravel's Authentication API and support the standard auth
middleware.
These guards are compatible with Laravel's Authorization API and support the standard can
middleware, and the Guard
facade, and work with the Policies API.
3 new pre-built Guards are available: scope
and permission
, as well as a dynamic *:*
. This enables you to verify whether the user's access token has a particular scope or (if RBAC is enabled on the Auth0 API) a particular permission. For example Gate::check('scope', 'email')
or Route::get(/*...*/)->can('read:messages')
.
The SDK now automatically registers these guards to Laravel's standard web
and api
middleware groups, respectively. Manual Guard setup in config/auth.php
is no longer necessary.
The SDK now automatically registers the Authentication routes. Manual route setup in routes/web.php
is no longer necessary.
2 new routing Middleware have been added: Auth0\Laravel\Http\Middleware\AuthenticatorMiddleware
and Auth0\Laravel\Http\Middleware\AuthorizerMiddleware
. These are automatically registered with your Laravel application, and ensure the Auth0 Guards are used for authentication for web
routes and authorization for api
routes, respectively. This replaces the need for the guard
middleware or otherwise manual Guard assignment in your routes.
We've introduced a new configuration syntax. This new syntax is more flexible and allows for more complex configuration scenarios, and introduces support for multiple guard instances. Developers using the previous syntax will have their existing configurations applied to all guards uniformly.
The SDK can now configure itself using a .auth0.json
file in the project root directory. This file can be generated using the Auth0 CLI, and provides a significantly simpler configuration experience for developers.
The previous auth0.guard
Guard (Auth0\Laravel\Auth\Guard
) has been refactored as a lightweight wrapper around the new AuthenticationGuard
and AuthorizationGuard
guards.
auth0.guard
. It will continue to work until the next release, but we recommend migrating to auth0.authorizer
and/or auth0.authenticator
for a better experience.auth0.authorize
, auth0.authorize.optional
, auth0.authenticate
and auth0.authenticate.optional
middleware. These will continue to work until the next release, but we recommend migrating to the new auth0.authorizer
and/or auth0.authenticator
guards for a better experience. These new guards do not require the previous middleware to work, and support Laravel's standard auth
and can
middleware.Published by evansims over 1 year ago
Auth0\Laravel\Auth0
now has a management()
shortcut method for issuing Management API calls. (#376)
Auth0\Laravel\Auth0\Guard
now has a refreshUser()
method for querying /userinfo
endpoint and refreshing the authenticated user's cached profile data. (#375)
Auth0\Laravel\Http\Controller\Stateful\Login
now raises a LoginAttempting
event, offering an opportunity to customize the authorization parameters before the login redirect is issued. (#382)
tokenCache
, managementTokenCache
, sessionStorage
and transientStorage
configuration values now support false
or string
values pointing to class names (e.g. \Some\Cache::class
) or class aliases (e.g. cache.psr6
) registered with Laravel. (#381)Published by evansims over 1 year ago
Auth0\Laravel\Http\Middleware\Guard
, new middleware that forces Laravel to route requests through a group using a specific Guard. (#362)Auth0\Laravel\Http\Middleware\Stateful\Authenticate
now remembers the intended route (using redirect()->setIntendedUrl()
) before kicking off authentication flow redirect. Users will be returned to the memorized intended route after completing their authentication flow. (#364)$session
, not $token
(#353)Published by evansims over 1 year ago
Fixed
Symfony\Component\HttpFoundation\Response
class, allowing for broader and custom response types.Published by evansims over 1 year ago
Fixed
Published by evansims over 1 year ago
This release includes support for Laravel 10, and major improvements to the internal state handling mechanisms of the SDK.
Added
โ Support for Laravel 10 #349
โ New Auth0\Laravel\Traits\Imposter
trait to allow for easier testing. Example usage
โ New Exception types have been added for more precise error catching.
Changed
The following changes have no effect on the external API of this package, but may affect internal usage.
โ Guard
will now more reliably detect changes in the underlying Auth0-PHP SDK session state.
โ Guard
will now more reliably sync changes back to the underlying Auth0-PHP SDK session state.
โ StateInstance
concept has been replaced by new Credentials
entity.
โ Guard
updated to use new Credentials
entity as primary internal storage for user data.
โ Auth0\Laravel\Traits\ActingAsAuth0User
was updated to use newCredentials
entity.
โ The HTTP middleware have been refactored to more clearly differentiate between token and session based identities.
โ The authenticate
, authenticate.optional
and authorize.optional
HTTP middleware now support scope filtering, as authorize
already did.
Fixed
โ A 'Session store not set on request' error could occur when downstream applications implemented unit testing that use the Guard. This should be resolved now.
โ Guard
would not always honor the provider
configuration value in config/auth.php
.
โ Guard
is no longer defined as a Singleton to better support applications that need multi-guard configurations.
Maintenance
โ Upgraded test suite to use PEST 2.0 framework.
โ Updated test coverage to 100%.
Important Notes
1. Changes to user()
behavior
This release includes a significant behavior change around the user()
method of the Guard. Previously, by simply invoking the method, the SDK would search for any available credential (access token, device session, etc.) and automatically assign the user within the Guard. The HTTP middleware have been upgraded to handle the user assignment step, and user()
now only returns the current state of user assignment without altering it.
A new property has been added to the config/auth0.php
configuration file: behavior
. This is an array. At this time, there is a single option: legacyGuardUserMethod
, a bool. If this value is set to true, or if the key is missing, the previously expected behavior will be applied, and user()
will behave as it did before this release. The property defaults to false
.
2. Changes to Guard and Provider driver aliases
We identified an issue with using identical alias naming for both the Guard and Provider singletons under Laravel 10, which has required us to rename these aliases. As previous guidance had been to instantiate these using their class names, this should not be a breaking change in most cases. However, if you had used auth0
as the name for either the Guard or the Provider drivers, kindly note that these have changed. Please use auth0.guard
for the Guard driver, and auth0.provider
for the Provider driver. This is a regrettable change, but was necessary for adequate Laravel 10 support.
Thanks to our contributors for this release: taida957789
Published by evansims almost 2 years ago
Added
Fixed
env()
incorrectly assigns cookieExpires
to a string
value #332 (evansims)Auth0\Laravel\Cache\LaravelCachePool::createItem
returning a cache miss #329 (pkivits-litebit)Published by evansims about 2 years ago
Fixed
Auth0\Laravel\Auth0
no longer requires a session configuration for stateless strategies, restoring previous behavior. #317 (evansims)^3.0
of the psr/cache
dependency, to accommodate breaking changes made in the upstream interface (typed parameters and return types) for PHP 8.0+. #316 (evansims)Published by evansims about 2 years ago
https://user-images.githubusercontent.com/3093/195164064-31845e82-65f6-4100-80e7-97ced4f2d26d.mp4
Thank you to tonyfox-disguise, jeovajr and nie7321 for their contributions to this release.
Changed
Auth0\Laravel\Store\LaravelSession
has been added as the default sessionStorage
and transientStorage
interfaces for the underlying Auth0-PHP SDK. The SDK now leverages the native Laravel Session APIs by default. #307 (evansims)ยนAuth0\Laravel\Cache\LaravelCachePool
and Auth0\Laravel\Cache\LaravelCacheItem
have been added as the default tokenCache
and managementTokenCache
interfaces for the underlying Auth0-PHP SDK. The SDK now leverages the native Laravel Cache APIs by default. #307 (evansims)Auth0\Laravel\Auth\Guard
now supports the viaRemember
method. #306 (tonyfox-disguise)Auth0\Laravel\Http\Middleware\Stateless\Authorize
now returns a 401 status instead of 403 for unauthenticated users. #304 (jeovajr)ยน This change may require your application's users to re-authenticate. You can avoid this by changing the sessionStorage
and transientStorage
options in your SDK configuration to their previous default instances of Auth0\SDK\Store\CookieStore
, but it is recommended you migrate to the new LaravelSession
default.
Published by evansims about 2 years ago