PHP (Symfony)

Community maintained

Sample Project

Download a sample project specific to this tutorial configured with your Auth0 API Keys.

System Requirements
  • PHP 5.6, 7.0
  • Symfony 3.*
Show requirements

Before you start

This guide walks you through setting up authentication and authorization in your Symfony apps with Auth0. If you are new to Auth0 we suggest you check our Overview. For a complete picture of authentication and authorization for regular web apps, check our Single Sign-On for Regular Web Apps documentation.

Auth0 uses OAuth. If you want to learn more about the OAuth flows used by regular web apps, read about Authentication for Server-side Web Apps.

Get Your Application Keys

When you signed up for Auth0, you created a new client.

Your application needs some details about this client to communicate with Auth0. You can get these details from the Settings section for your client in the Auth0 dashboard.

You need the following information:

  • Client ID
  • Domain

If you download the sample from the top of this page, these details are filled out for you. If you have more than one client in your account, the sample comes with the values for your Default App.

App Dashboard

Configure Callback URLs

A callback URL is a URL in your application where Auth0 redirects the user after they have authenticated.

You need to whitelist the callback URL for your app in the Allowed Callback URLs field in your Client Settings. If you do not set any callback URL, your users will see a mismatch error when they log in.

If you are following along with the sample project you downloaded from the top of this page, Callback URL should be set to http://localhost:3000/callback.

Using HWIOAuthBundle for Authentication

If you have used Symfony before, you are probably already familiar with the HWIOAuth Bundle. We'll be using it to integrate the Symfony WebApp with Auth0 and achieve Single Sign On with a few simple steps.

Add HWIOAuthBundle to composer.json.

// composer.json

"minimum-stability": "dev",
"prefer-stable": true,
"require": {
    ...
    "hwi/oauth-bundle": ">=0.6",
},

and run composer update

This sample uses Composer, a tool for dependency management in PHP. It allows you to declare the dependent libraries your project needs and it will install them in your project for you.

Enable the Bundle

// app/AppKernel.php

public function registerBundles()
{
    $bundles = array(
        // ...
        new HWI\Bundle\OAuthBundle\HWIOAuthBundle(),
    );
}

Configure the Routes

Add the following routes at the beginning of app/config/routing.yml

hwi_oauth_redirect:
    resource: "@HWIOAuthBundle/Resources/config/routing/redirect.xml"
    prefix:   /connect

hwi_oauth_login:
    resource: "@HWIOAuthBundle/Resources/config/routing/login.xml"
    prefix:   /login

auth0_login:
    path:    /auth0/callback

auth0_logout:
    path: /auth0/logout

Create an Auth0 Resource Owner

You need to create an Auth0 resource owner to enable HWIOAuthBundle to connect to Auth0.

Add this to your src/AppBundle/Auth0ResourceOwner.php

<?php

namespace AppBundle;

use Dotenv\Dotenv;

use Symfony\Component\OptionsResolver\Options;
use Symfony\Component\OptionsResolver\OptionsResolver;

use HWI\Bundle\OAuthBundle\OAuth\ResourceOwner\GenericOAuth2ResourceOwner;

class Auth0ResourceOwner extends GenericOAuth2ResourceOwner
{
    /**
     * {@inheritdoc}
     */
    protected $paths = array(
        'identifier' => 'user_id',
        'nickname' => 'nickname',
        'realname' => 'name',
        'email' => 'email',
        'profilepicture' => 'picture',
    );

    /**
     * {@inheritdoc}
     */
    public function getAuthorizationUrl($redirectUri, array $extraParameters = array())
    {
        return parent::getAuthorizationUrl($redirectUri, array_merge(array(
            'audience' => $this->options['audience'],
        ), $extraParameters));
    }

    /**
     * {@inheritdoc}
     */
    protected function configureOptions(OptionsResolver $resolver)
    {
        parent::configureOptions($resolver);

        $dotenv = new Dotenv(__DIR__ . '/../..');
        $dotenv->load();

        $resolver->setDefaults(array(
            'authorization_url' => '{base_url}/authorize',
            'access_token_url' => '{base_url}/oauth/token',
            'infos_url' => '{base_url}/userinfo',
            'audience' => 'https://'.getenv('AUTH0_DOMAIN').'/userinfo',
        ));

        $resolver->setRequired(array(
            'base_url',
        ));

        $normalizer = function (Options $options, $value) {
            return str_replace('{base_url}', $options['base_url'], $value);
        };

        $resolver->setNormalizer('authorization_url', $normalizer);
        $resolver->setNormalizer('access_token_url', $normalizer);
        $resolver->setNormalizer('infos_url', $normalizer);
    }
}

Configure the Resource Owner

Add this to your app/config/config.yml

hwi_oauth:
    firewall_names: [secured_area]
    resource_owners:
        auth0:
            type:                oauth2
            class:               'AppBundle\Auth0ResourceOwner'
            base_url:            https://YOUR_AUTH0_DOMAIN
            client_id:           YOUR_CLIENT_ID
            client_secret:       YOUR_CLIENT_SECRET
            redirect_uri:        http://yourUrl/auth0/callback
            scope: "openid profile"

User Provider

You can create a user provider that implements OAuthAwareUserProviderInterface and set it up in the next step, or you can use one of the predefined services that HWIOAuthBundle provides.

Configure the OAuth Firewall

This is where you set the filters to select which pages require authentication or authorization. You can read more on how to configure this at the Symfony security docs.

This is a basic example that allows anonymous users and then restricts access to the /secured route. It doesn't store the users in a DB.

This file is app/config/security.yml:

security:
    providers:
        hwi:
            id: hwi_oauth.user.provider

    firewalls:
        secured_area:
            anonymous: ~
            oauth:
                resource_owners:
                    auth0: "/auth0/callback"
                login_path:        /login
                use_forward:       false
                failure_path:      /login

                oauth_user_provider:
                    service: hwi_oauth.user.provider
            logout:
                path:   /auth0/logout
                target: /

    access_control:
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/secured, roles: ROLE_OAUTH_USER }

Notice that we need to identify the user provided selected in the step before both in the providers and in the firewall.

Triggering Login and accessing user information

Set the following in app/resources/views/index.html.twig

{% if app.user %}
    Welcome, {{ app.user.username }}!<br/>
    {{ dump(app.user) }}
    <a href="{{ url('secured') }}">Protected route</a>
    <a href="{{ logout_url("secured_area") }}">
        <button>Logout</button>
    </a>
{% else %}
    <h1>Symfony Auth0 Quickstart</h1>
    <a href="/connect/auth0"><button>Login</button></a>
{% endif %}

Troubleshooting

SSL certificate problem: self signed certificate in certificate chain

If there is an issue with CAs database on your computer, you may need to download this CAs database. To use it on Windows for example, place it in c:\cacert.pem and point to it in php.ini with openssl.cafile=c:/cacert.pem.

Use Auth0 for FREECreate free Account