Labsco
auth0 logo

auth0-php

37

by auth0 · part of auth0/agent-skills

Use when adding session-based login, logout, or user profile to a PHP web application. Integrates auth0/auth0-php — use even if the user says "add login to my PHP app".

🧩 One of 7 skills in the auth0/agent-skills package — works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.

Auth0 PHP Web App Integration

Add login, logout, and user profile to a PHP web application using auth0/auth0-php.


When NOT to Use

  • PHP APIs with JWT Bearer validation - Use auth0-php-api for stateless API token validation
  • Laravel applications - Use a dedicated Laravel integration with auth0/laravel-auth0
  • Symfony applications - Use a dedicated Symfony integration with auth0/symfony
  • Single Page Applications - Use auth0-react, auth0-vue, or auth0-angular for client-side auth
  • Next.js applications - Use auth0-nextjs which handles both client and server
  • Node.js web apps - Use auth0-express or auth0-fastify for session-based auth

Key SDK Methods

MethodSignaturePurpose
login$auth0->login(?string $redirectUrl, ?array $params): stringReturns authorization URL string - redirect user to it
exchange$auth0->exchange(?string $redirectUri, ?string $code, ?string $state): boolExchanges authorization code for tokens, establishes session
getCredentials$auth0->getCredentials(): ?objectReturns current session credentials or null
getExchangeParameters$auth0->getExchangeParameters(): ?objectChecks if callback contains exchange parameters
logout$auth0->logout(?string $returnUri, ?array $params): stringReturns Auth0 logout URL string
renew$auth0->renew(?array $params): selfRefreshes expired access token (requires offline_access scope)
clear$auth0->clear(bool $transient = true): selfClears local session without Auth0 logout

Credentials Object

After successful authentication, getCredentials() returns an object with:

$credentials = $auth0->getCredentials();

$credentials->user;                    // array - user profile claims
$credentials->idToken;                 // string - raw ID token
$credentials->accessToken;             // string - access token
$credentials->refreshToken;            // string|null - refresh token (requires offline_access)
$credentials->accessTokenExpiration;   // int - expiration timestamp
$credentials->accessTokenExpired;      // bool - whether token is expired
$credentials->accessTokenScope;        // array - granted scopes

User profile claims ($credentials->user):

  • sub - unique user identifier
  • name, nickname, picture
  • email, email_verified
  • given_name, family_name
  • updated_at, locale

  • auth0-php-api - For protecting PHP APIs with JWT Bearer token validation
  • auth0-quickstart - Basic Auth0 setup and framework detection
  • auth0-cli - Manage Auth0 resources from the terminal
  • auth0-mfa - Add Multi-Factor Authentication

Quick Reference

SdkConfiguration for web apps:

$configuration = new SdkConfiguration(
    strategy: SdkConfiguration::STRATEGY_REGULAR,        // required
    domain: $_ENV['AUTH0_DOMAIN'],                        // required
    clientId: $_ENV['AUTH0_CLIENT_ID'],                   // required
    clientSecret: $_ENV['AUTH0_CLIENT_SECRET'],           // required
    cookieSecret: $_ENV['AUTH0_COOKIE_SECRET'],           // required
    redirectUri: $_ENV['AUTH0_REDIRECT_URI'],             // required
    scope: ['openid', 'profile', 'email'],               // recommended
);

Route protection pattern:

$credentials = $auth0->getCredentials();
if (null === $credentials) {
    header('Location: /login');
    exit;
}

Environment variables:

  • AUTH0_DOMAIN - your Auth0 tenant domain (e.g. tenant.us.auth0.com)
  • AUTH0_CLIENT_ID - your Application's client ID
  • AUTH0_CLIENT_SECRET - your Application's client secret
  • AUTH0_COOKIE_SECRET - encryption secret key (generate: openssl rand -hex 32)
  • AUTH0_REDIRECT_URI - callback URL (e.g. http://localhost:3000/callback)

Detailed Documentation

  • Setup Guide - Automated setup scripts, environment configuration, Auth0 CLI usage
  • Integration Guide - Protected routes, calling APIs, session management, error handling
  • API Reference - Complete Auth0 SDK API, configuration options, session storage, security

References