PHP: Logging in, out, and returning user profiles with Auth0-PHP
The Auth0-PHP SDK bundles three core classes: Auth0\SDK\Auth0
, Auth0\SDK\API\Authentication
and Auth0\SDK\API\Management
, each offering interfaces for different functionality across Auth0's APIs. If you're building a stateful web application that needs to keep track of users' sessions, the base Auth0
class is what you'll be working with the most. It provides methods for handling common authentication and session handling tasks such as logging in and out, retrieving user credentials, checking of an available session, and callback handling. These tasks are explained below.
For additional information on these capabilities and more, please see the documentation page for the Authentication API.
Prerequisites
The documentation below assumes that you followed the steps in the Auth0-PHP, and continue off from the code provided there.
Logging In
The default login process in the PHP SDK uses an Authentication Code grant combined with Auth0's Universal Login Page. In short, that process is:
A user requesting access is redirected to the Universal Login Page.
The user authenticates using one of many possible connections: social (Google, X, Facebook), database (email and password), passwordless (email, SMS), or enterprise (ActiveDirectory, ADFS, Office 365).
The user is redirected or posted back to your application's callback URL with
code
andstate
values if successful or anerror
anderror_description
if not.If the authentication was successful, the
state
value is validated.If the
state
is valid, thecode
value is exchanged with Auth0 for an ID Token and/or an Access Token.The identity from the ID token can be used to create an account, to start an application-specific session, or to persist as the user session.
Auth0-PHP handles most of these steps automatically for you. Your application will need to:
Call
Auth0\SDK\Auth0::login()
when users need to login (for example: click a link, visit walled content, etc.)Call
Auth0\SDK\Auth0::exchange()
when users are redirected to your callback URL.Call
Auth0\SDK\Auth0::getCredentials()
when you need to check if a user is logged in and retrieve user information.
A simple implementation of these steps looks like this:
// 👆 We're continuing from the "getting started" guide linked in "Prerequisites" above. Append this to the index.php file you created there.
// getExchangeParameters() can be used on your callback URL to verify all the necessary parameters are present for post-authentication code exchange.
if ($auth0->getExchangeParameters()) {
// If they're present, we should perform the code exchange.
$auth0->exchange();
}
// Check if the user is logged in already
$session = $auth0->getCredentials();
if ($session === null) {
// User is not logged in!
// Redirect to the Universal Login Page for authentication.
header("Location: " . $auth0->login());
exit;
}
// 🎉 At this point we have an authenticated user session accessible from $session; your application logic can continue from here!
echo "Authenticated!";
Was this helpful?
Finally, you'll need to add your application's URL to your Auth0 Application's "Allowed Callback URLs" field on the settings page. After that, loading your scripted page should:
Immediately redirect you to an Auth0 login page for your tenant.
After successfully logging in using any connection, redirect you back to your app.
Display a simple page showing 'Authenticated!'.
Profile
Now that we have authenticated a user, we can work with their persisted session data to do things like display user profiles.
// 👆 We're continuing from code above. Append this to the index.php file.
printf(
'<h1>Hi %s!</h1>
<p><img width="100" src="/docs/%s"></p>
<p><strong>Last update:</strong> %s</p>
<p><strong>Contact:</strong> %s %s</p>
<p><a href="/docs/logout.php">Logout</a></p>',
isset($session->user['nickname']) ? strip_tags($session->user['nickname']) : '[unknown]',
isset($session->user['picture']) ? filter_var($session->user['picture'], FILTER_SANITIZE_URL) : 'https://gravatar.com/avatar/',
isset($session->user['updated_at']) ? date('j/m/Y', strtotime($session->user['updated_at'])) : '[unknown]',
isset($session->user['email']) ? filter_var($session->user['email'], FILTER_SANITIZE_EMAIL) : '[unknown]',
! empty($session->user['email_verified']) ? '✓' : '✗'
);
Was this helpful?
Logout
In addition to logging in, we also want users to be able to log out. When users log out, they must invalidate their session for the application. For this SDK, that means destroying their persistent user and token data:
// Log out of the application.
header("Location: $auth0->logout());
Was this helpful?
If you're using Single Sign-on (SSO) and also want to end their Auth0 session, see the SSO Logout section here. More information about logging out, in general, can be found here.