auth0 / symfony Goto Github PK

After i've tried to run project, received this error:

The optional configuration field secret_base64_encoded doesn't work when set to false.

Auth0JWT::decode will always attempt to decode the secret, even if it was never base64encoded to begin with, and verifying the signature fails.

This thread is to provide updates and centralize discussion around the forthcoming 5.0 major release of jwt-auth-bundle, currently in development. As conversations had begun to splinter across a few separate issues on the subject, I thought it in our best interest to have a central place to bridge these discussions.

The 5.x-dev branch is the in-development branch representing this work. Feedback, PRs, and testing are greatly appreciated. As this branch approaches what we consider beta ready, we'll merge it into main and begin cutting pre-production releases for testing. (Until then, it should be considered experimental, unstable and has not undergone a security review yet.)

Goals for 5.0 include:
🟢 Support for the new SF 5.1+ authenticator-based security, as contributed by @mcsky
🟢 Support for SF 6, as contributed by @mkilmanas
🚧 Migration to Auth0-PHP SDK 8.0 by @evansims

Note that the new 5.x bundle release will not include support for SF versions before 5.2 or PHP versions before 7.4.

Auth0 does not currently have a timeline for a stable release on this major, but will keep you informed.

Description

In the Readme the link to your own "Symfony API Quickstart Guide is broken. Expected a link to a Symfony Quickstart Guide.

Reproduction

In the resources section of the readme click the link to "Symfony API Quickstart Guides" which links here

Environment

Please provide the following:

• Version of this library used: 3.3.1

According to this issue, auth0/auth0-PHP#507 concerning the conflict between lcobucci/jwt and auth0/php-jwt, the version 8.0 is in beta2. So, are you working on an update of this bundle at short therme or should we do it by ourself ?

See https://auth0.com/forum/t/client-secret-stored-without-base64-encoding/4338

So do you think it makes sense to have secret_base64_encoded option back?

Is needed to add the bundle in the kernell

https://github.com/auth0/jwt-auth-bundle/blob/master/example/app/AppKernel.php#L20

Hi!

Im getting

In InformationHeaders.php line 128:
                                        
  Notice: Undefined index: environment

when i run composer require auth0/jwt-auth-bundle:"^3.0" on a SF4 application. Using PHP 7.2-10. I can bypass that by disabling notices, but i guess we should check if the field exists before accessing it. Or should it be env instead of environment?

Unfortunately the link to a sample project is not working.

Could you please provide a working example (for symfony) with usage of protecting routes by scopes?

Hello there,
I've been creating recently a new symfony app and planned to use auth0 as my authentification system.
I encountered an error while running

composer require auth0/jwt-auth-bundle

which lead to latest stable version 4.0.0.

After some research i found that there was an issue with the new authenticator systems embedded with symfony 6 and found this PR which has been merged and released with version 4.0.0 : #121

But it seems that the required level of symfony in the composer.json still does not allow symfony 6.

"symfony/framework-bundle": "^4.4 || ~5.1",

I don't know yet if it's a mistake or intended for any non related reasons :O

Yesterday I raised a PR #22, but in using the bundle in Symfony 3 I had to make a few more changes. These changes won't work in the Symfony 2.x branches. This is because of the location of SimplePreAuthenticatorInterface in the files directory.

What is the process of requesting a merge in this instance? I was going to create a new PR, but that would break the 1.2 branch from working with Symfony 2.x.

I have two clients in auth0 one for a PWA and one for a native apps. Both should communicate with a Symfony API where I use this bundle.

As I see, the JWTVerifier is capable to validate token for mutliple audience but the auth0Service use only one audience.

Hello,

The 8th version of PHP was released last month. It could be great to support it.

I don't know if you guys have any plan to support it or if you rely on the community to do so.
I didn't take time (yet) to investigate what change should be made to ensure the PHP 8 compatibility

Hi!

Any plans for Symfony 6 support?

Describe the problem

Looks like your recipe isn't working. As a result the bundles file isn't being updated.

What was the expected behavior?

At a minimum, the configuration noted on here should be done automatically via recipes.
I managed to get around it by following your instructions, however, the one key piece that was missing was the addition of the bundle file to the bundles.php in symfony.

As a workaround, if users are seeing messages like: There is no extension able to load the configuration for "auth0" [...]
It's just adding the following line to your bundles.php

Auth0\Symfony\Auth0Bundle::class => ['all' => true]

Here's a full example of what the bundles.php should look like:

<?php

return [
    Symfony\Bundle\FrameworkBundle\FrameworkBundle::class => ['all' => true],
    Doctrine\Bundle\DoctrineBundle\DoctrineBundle::class => ['all' => true],
    Doctrine\Bundle\MigrationsBundle\DoctrineMigrationsBundle::class => ['all' => true],
    Symfony\Bundle\DebugBundle\DebugBundle::class => ['dev' => true],
    Symfony\Bundle\TwigBundle\TwigBundle::class => ['all' => true],
    Symfony\Bundle\WebProfilerBundle\WebProfilerBundle::class => ['dev' => true, 'test' => true],
    Twig\Extra\TwigExtraBundle\TwigExtraBundle::class => ['all' => true],
    Symfony\Bundle\SecurityBundle\SecurityBundle::class => ['all' => true],
    Symfony\Bundle\MonologBundle\MonologBundle::class => ['all' => true],
    Symfony\Bundle\MakerBundle\MakerBundle::class => ['dev' => true],
    Sensio\Bundle\FrameworkExtraBundle\SensioFrameworkExtraBundle::class => ['all' => true],
    Auth0\Symfony\Auth0Bundle::class => ['all' => true],
];

Reproduction

• create a fresh symfony project.
• issue a composer require auth0/symfony
• recipe should run which does all the configuration.

Environment

• PHP 8.2
• Symfony 6.2.4

I use your bundle against our own JWT provider.

In the bundle, the url for retrieving the jwks is hard coded with the value .well-known/jwks.json
But the url for retrieving jwks on our provider is /.well-known/openid-configuration/jwks.

How can I configure this value with what I need?

It should be only be mandatory if using auth0Service

(AUTH-3575)
Example currently use outdated version of jwt-auth-bundle and symfony, for example

Thanks for merging #75!

Looking at the logs, I still get the following deprecation message:

The "Auth0\JWTAuthBundle\Security\JWTAuthenticator" class implements "Symfony\Component\Security\Http\Authentication\SimplePreAuthenticatorInterface" that is deprecated since Symfony 4.2, use Guard instead.

Since Guard is supported since SF 2.8, and the current latest supported release is 3.4.31, is it possible to remove the SimplePreAuth implementation alltogether?

After I login and clicked ping using example project, received this error as a response:

(AUTH-3574)
Latest version of 1.x branch jwt-auth-bundle include SimplePreAuthenticatorInterface from Http when it should be loaded from Core

Proof:

After Setting JwtAuthBundle through Documentation, I'm getting Argument must implement interface Auth0\JWTAuthBundle\Security\Core\JWTUserProviderInterface.

Checked my code and its ok, thought it might be a bud or something..., here is the trace:

Doctrine\Common\Proxy\Exception\InvalidArgumentException: Argument must implement interface Auth0\JWTAuthBundle\Security\Core\JWTUserProviderInterface
    at n/a
        in /home/aien/Web/MrAlef/MRA/vendor/auth0/jwt-auth-bundle/src/Security/JWTAuthenticator.php line 73

    at Auth0\JWTAuthBundle\Security\JWTAuthenticator->authenticateToken(object(PreAuthenticatedToken), object(EmailUserProvider), 'secured_area')
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/Provider/SimpleAuthenticationProvider.php line 37

    at Symfony\Component\Security\Core\Authentication\Provider\SimpleAuthenticationProvider->authenticate(object(PreAuthenticatedToken))
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/AuthenticationProviderManager.php line 80

    at Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager->authenticate(object(PreAuthenticatedToken))
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/SimplePreAuthenticationListener.php line 91

    at Symfony\Component\Security\Http\Firewall\SimplePreAuthenticationListener->handle(object(GetResponseEvent))
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall.php line 69

    at Symfony\Component\Security\Http\Firewall->onKernelRequest(object(GetResponseEvent), 'kernel.request', object(TraceableEventDispatcher))
        in  line 

    at call_user_func(array(object(Firewall), 'onKernelRequest'), object(GetResponseEvent), 'kernel.request', object(TraceableEventDispatcher))
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php line 61

    at Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke(object(GetResponseEvent), 'kernel.request', object(ContainerAwareEventDispatcher))
        in  line 

    at call_user_func(object(WrappedListener), object(GetResponseEvent), 'kernel.request', object(ContainerAwareEventDispatcher))
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/EventDispatcher.php line 184

    at Symfony\Component\EventDispatcher\EventDispatcher->doDispatch(array(object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener), object(WrappedListener)), 'kernel.request', object(GetResponseEvent))
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/EventDispatcher.php line 46

    at Symfony\Component\EventDispatcher\EventDispatcher->dispatch('kernel.request', object(GetResponseEvent))
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/TraceableEventDispatcher.php line 140

    at Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch('kernel.request', object(GetResponseEvent))
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php line 125

    at Symfony\Component\HttpKernel\HttpKernel->handleRaw(object(Request), '1')
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php line 64

    at Symfony\Component\HttpKernel\HttpKernel->handle(object(Request), '1', true)
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/DependencyInjection/ContainerAwareHttpKernel.php line 69

    at Symfony\Component\HttpKernel\DependencyInjection\ContainerAwareHttpKernel->handle(object(Request), '1', true)
        in /home/aien/Web/MrAlef/MRA/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php line 185

    at Symfony\Component\HttpKernel\Kernel->handle(object(Request))
        in /home/aien/Web/MrAlef/MRA/web/app_dev.php line 30

To get this bundle autoconfigured properly there should be a recipe to make necessary extra steps, so that users that are using this bundle don't need to eg. add stuff manually to their .env file.

Docs about that is there https://github.com/symfony/recipes/blob/master/README.rst

Hi,

Can you tag a new release? With the current stable i'm unable to upgrade Symfony:

472 !!  PHP Fatal error:  Uncaught ArgumentCountError: Too few arguments to function Symfony\Component\Config\Definition\Builder\TreeBuilder::__construct(), 0 passed in /srv/api/vendor/auth0/jwt-auth-bundle/src/DependencyInjection/Configuration.php on line 20 and at least 1 expected in /srv/api/vendor/symfony/config/Definition/Builder/TreeBuilder.php:26
473 !!  Stack trace:
474 !!  #0 /srv/api/vendor/auth0/jwt-auth-bundle/src/DependencyInjection/Configuration.php(20): Symfony\Component\Config\Definition\Builder\TreeBuilder->__construct()
475 !!  #1 /srv/api/vendor/symfony/config/Definition/Processor.php(50): Auth0\JWTAuthBundle\DependencyInjection\Configuration->getConfigTreeBuilder()
476 !!  #2 /srv/api/vendor/symfony/dependency-injection/Extension/Extension.php(106): Symfony\Component\Config\Definition\Processor->processConfiguration()
477 !!  #3 /srv/api/vendor/auth0/jwt-auth-bundle/src/DependencyInjection/JWTAuthExtension.php(19): Symfony\Component\DependencyInjection\Extension\Extension->processConfiguration()
478 !!  #4 /srv/api/vendor/symfony/dependency-injection/Compiler/Me in /srv/api/vendor/symfony/config/Definition/Builder/TreeBuilder.php on line 26
479 !!  
480 Script @auto-scripts was called via post-install-cmd

This is fixed in #79

Hello there !

Any example to use this bundle without auth0 use ?

Maybe using FOSUser bundle ?

Thanks !

Are there any plans to support sf4 in the near future? This is like a real blocker (for me) to use Auth0 in the future.

Describe the problem

5.x branches require PHP version ^8.0 but Symfony 6.1 packages require >=8.1.

What was the expected behavior?

Installing a 5.x branch should require PHP >=8.1

Reproduction

composer require auth0/jwt-auth-bundle:5.0.0-BETA1

Environment

PHP 8.0

Currently it is tagged to the 3.0 branch, not latest https://github.com/auth0/jwt-auth-bundle/blob/1.2.8/composer.json#L24

Describe the problem

Having support return true on the Authenticator messes up CSRF tokens.

I just installed a fresh SF 6.2 EasyAdmin 4 setup and integrated this bundle.
Every time we want to do a form operation we get a CSRF token invalid message.

What was the expected behavior?

Don't change the token on every request.

Having the support trigger only on the callback route seems to fix this.

Could you please provide some useful install instructions for the master branch. There is written that you should install this bundle like this:

composer require auth0/jwt-auth-bundle:"~3.0"

but the configuration underneath is not fitting to the configuration required for branch ~3.0

also the master branch is not ~3.0, it is ~4.0...

It would be really nice to provide at least one single example demo project which is pointing to the right direction.

Thank you very much

Hi,

Thanks for the release! It's a great new! I have been tracking this repo for months looking for a new release compatible with Symfony 5.4. Today was released the new version 5.0.0 but only compatible from Symfony 6.1+. Previous version 4.0.0 was not compatible with Symfony 5.4 (many deprecation warnings) because the old authenticator format.

Taking a look to #130 one of main goal it's support for 5.1+ versions (and also for 6+) but in composer.json (and Readme) the minimal required version it's 6.1.

It's possible to consider adapt code for this Long Term Support version of Symfony?

Thanks for your effort and your work.

Hi, thanks for maintaining this package!

auth0/php-jwt has recently been abandoned and triggers an error every time you run composer update. It is part of the last stable version of this bundle.
Could you please release a stable version 5, so we can move away from the abandoned package?

Thanks if you have the time :)

Package conflict

We are using V4.0.0 of this package and also using the https://github.com/symfony /
mercure-bundle

auth0/jwt-auth-bundle uses V7 of auth0/auth0-php, which uses a fork of lcobucci/jwt package, with same namespace but added breaking changes.
mercure bundle use the original lcobucci/jwt package

see this issue

Resolution

There is a simple way to resolve the problem, since auth0/jwt-auth-bundle *V8 address that exact problem. By upgrading your dependencies on auth0/jwt-auth-bundle to V8 you will solve it.

Readme.md suggest me to modify /src/AppBundle/Resources/public/js/auth0-variables.js file, but it doesn't exist.

In the jwt_auth configuration block setting secret_base64_encoded to false throws a InvalidConfigurationException with the message

The path "jwt_auth.secret_base64_encoded" cannot contain an empty value, but got false.

Since the default is true, this means I can't set secret_base64_encoded to be false.

Describe the problem you'd like to have solved

We are using this bundle yet we cannot upgrade to Symfony 6.0 because this bundle only supports symfony/framework-bundle: ^4.4 || ~5.1.

Likewise, it would not be possible to use this bundle on any new project starting up with Symfony 6 (which is publicly available for over 3 months now)

Describe the ideal solution

Considering that Symfony 5.4 is supported, upgrading to 6.0 should be only the cleanup of deprecations and update in composer.json.
One possible issue could be the Security component and the new Authenticator system, but I see there is an open PR here #121 that solves exactly that problem (it's just a little quite there somehow).

Alternatives and current work-arounds

N/A

Additional information, if any

N/A

Description

The link to the Symfony API QuickStart Guide is broken.
This guide doesn't seem to exist anymore on the website.

Is this intended? Is it still a good idea to use this bundle to integrate Auth0 in a Symfony app?

The Auth0Service uses JWTVerifier from the auth0-PHP SDK. auth0-PHP allows specifying a cache which will greatly speed up requests to the Auth0Service. I am currently experience a 3000 millisecond response time for every request that uses the Auth0Service. I manually changed the Auth0Service to use cache and the response time has gone back down to a reasonable 300 milliseconds.

In SF 5.1, a new Authenticator-based security system was introduced as an experimental feature. With SF 5.3 released (today), the Guard system is deprecated whilst the new Authenticator system is marked stable and will be set as the default for SF 6.0.

Upgrading to SF 5.3 results leads to the following deprecation notice:

The "Auth0\JWTAuthBundle\Security\Guard\JwtGuardAuthenticator" class extends "Symfony\Component\Security\Guard\AbstractGuardAuthenticator" that is deprecated since Symfony 5.3, use the new authenticator system instead.

Would be great if the new authenticator system can be supported.

More reading material here:
https://symfony.com/blog/new-in-symfony-5-3-guard-component-deprecation
https://symfony.com/doc/current/security/experimental_authenticators.html
https://symfony.com/doc/current/security/experimental_authenticators.html#creating-a-custom-authenticator

Since this commit was merged it looks to me like Auth0Service::decodeJWT will pass an invalid argument:

return Auth0JWT::decode($encToken, $this->client_id, $this->client_secret, $this->secret_base64_encoded);

but the decode method expects

public static function decode($jwt, $valid_audiences, $client_secret, array $authorized_iss = [])

which results in:
Type error: Argument 4 passed to Auth0\\SDK\\Auth0JWT::decode() must be of the type array, boolean given

Describe the problem you'd like to have solved

At this moment we can't decorate parts of the bundle.
My use case is that I would like to add the user to my own database to control more there.
For that I need to plug in to the Authenticator.

For ex. In the AuthenticationController we use a Authenticator but we should use the AuthenticatorInterface.

Describe the ideal solution

Use the contracts everywhere we can to enable proper decoration.

This could allow a decorated Controller for example:

<?php

namespace App\Controller;

use App\Security\DecoratingAuthenticator;
use Auth0\SDK\Auth0;
use Auth0\Symfony\Contracts\Controllers\AuthenticationControllerInterface;
use Auth0\Symfony\Controllers\AuthenticationController;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\DependencyInjection\Attribute\AsDecorator;
use Symfony\Component\DependencyInjection\Attribute\MapDecorated;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\RouterInterface;

#[AsDecorator(decorates: AuthenticationController::class)]
class DecoratingAuthenticationController extends AbstractController implements AuthenticationControllerInterface
{
    private AuthenticationController $inner;

    public function __construct(
        #[MapDecorated] AuthenticationController $inner,
        private readonly RouterInterface $router,
        private readonly DecoratingAuthenticator $authenticator
    ) {
        $this->inner = $inner;
    }

    public function login(Request $request): Response
    {
        return $this->inner->login($request);
    }

    public function logout(Request $request): Response
    {
        return $this->inner->logout($request);
    }

    public function callback(Request $request): Response
    {
        return $this->inner->callback($request);
    }

    protected function getRedirectUrl(string $route): string
    {
       $routes = $this->authenticator->configuration['routes'] ?? [];
        $configuredRoute = $routes[$route] ?? null;

        if (null !== $configuredRoute && '' !== $configuredRoute) {
            try {
                return $this->router->generate($configuredRoute);
            } catch (\Throwable $th) {
            }
        }

        return '';
    }

    protected function getSdk(): Auth0
    {
        return $this->authenticator->getInner()->service->getSdk();
    }
}

<?php

namespace App\Security;

use Auth0\Symfony\Security\Authenticator;
use Symfony\Component\DependencyInjection\Attribute\AsDecorator;
use Symfony\Component\DependencyInjection\Attribute\MapDecorated;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;

#[AsDecorator(decorates: 'auth0.authenticator')]
readonly class DecoratingAuthenticator implements AuthenticatorInterface
{
    private Authenticator $inner;
    public function __construct(#[MapDecorated] Authenticator $inner)
    {
        $this->inner = $inner;
    }

    /**
     * @throws \JsonException
     */
    public function authenticate(Request $request): Passport
    {
        $session = ($sdk = $this->inner->service->getSdk()) ? $sdk->getCredentials() : null;

        if (null === $session) {
            throw new CustomUserMessageAuthenticationException('No Auth0 session was found.');
        }

        $user = json_encode(['type' => 'stateful', 'data' => $session], JSON_THROW_ON_ERROR);

        return new SelfValidatingPassport(
            new UserBadge($user, function () use ($user, $sdk) {
                $auth0User = $sdk->getUser();
                
                // Do custom action to save users locally, trigger events, ...

                return $user;
            })
        );
    }

    public function supports(Request $request): ?bool
    {
        return $this->inner->supports($request);
    }

    public function createToken(Passport $passport, string $firewallName): TokenInterface
    {
        return $this->inner->createToken($passport, $firewallName);
    }

    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
    {
        return $this->inner->onAuthenticationSuccess($request, $token, $firewallName);
    }

    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
    {
        return $this->inner->onAuthenticationFailure($request, $exception);
    }

    public function getInner(): Authenticator
    {
        return $this->inner;
    }
}

Can you please get this upgraded to use the Auth0 7.2 module? We'd really like to be using the new stuff if we can.

Either the bundle has depandancies (or even dev-depandancies), and in that case those depandancies should go in the composer.json

But in the installation process you can't say install this bundle by adding the bundle itself and another library (https://github.com/auth0/jwt-auth-bundle/blame/master/README.md#L43) "adoy/oauth2": "dev-master",

JWT::decode can throw ExpiredException, but any exception is converted to CoreException at JWTVerifier->verifyAndDecode.
So CoreException is throwed to Auth0Service->decodeJWT and it is not catched anywhere, what means 500 for Users Application.

To fix it - we need to create internal ExpiredException and use it for expired token and transform it to AuthenticationException, catch it with built-in AuthenticationFailureHandlerInterface and throw 401 code according to https://stackoverflow.com/questions/8855297/token-expired-json-rest-api-error-code

Full stack trace:

Composer requires that the installation of a library is made via

composer require library (version)
https://getcomposer.org/doc/03-cli.md#require

It would be best if you specify that instead of manually adding lines in composer.json

Example project using outdated version of auth0 lock library.

Describe the problem

In the Readme, the link to "Symfony API Samples" and the link to "example code" lead to a 404 page.

What was the expected behavior?

Links bringing me to the code samples, which would be important for new users.

Reproduction

Just click the links on the home page of the repository.

Environment

• master branch

• Version of this library used:
• Which framework are you using, if applicable:
• Other modules/plugins/libraries that might be involved:
• Any other relevant information you think would be useful: