Integration of Auth0 PHP SDK into Nette framework

tl;dr Auth0 Nette Extension has been open–sourced by Some move and made available at packagist composer repository.

Nette is a popular PHP framework developed in Czechia. It even appeared as the 3rd most popular framework in 2015 annual survey by SitePoint.

Auth0 is an identity management service allowing developers and companies to offset the user management and security aspects to an existing solution. In also integrates existing solution like social buttons or Microsoft Active Directory to unify the signup/signin process and provides developers with dozens of ready-made SDKs, libraries and integrations.

At Some move, we use Auth0 to connect users from our Microsoft Office365 subscription with WordPress sites user base as well as our own-developed travel planning website TravelSupport. Regardless of website or software, we always sign in using the @somemove.cz credentials. Since our TravelSupport website is written in PHP using Nette framework, we used Auth0 PHP to implement the authorization code grant flow. You can learn the basics of Nette&Auth0 in the tutorial.

But the extension code goes further.

Extension with defaults — Without the extension, the Auth0\SDK\Auth0 class needs to be listed in services as the tutorial shows. Nette and Auth0 does not integrate smoothly – both touch the session and in order to make it work in Nette ecosystem, the best option is to disable persistence of all data received as well as state handler.

The 1.0 version of the extension does this respective job, but also provides all optional parameters with defaults. Instead of declaring a new service, a new section auth0is expected in config file where you declare just the client credentials and other required details.

auth0:
	'domain' : 'your.auth0.com'
	'audience' : 'https://audience.url'
	'scope' : 'openid profile offline_access'
	'client_id' : '{CLIENT_ID}'
	'client_secret' : '{CLIENT_SECRET}'
	'redirect_uri' : 'https://your.callback'

This is also place where you can override the defaults if you like.

Nette Session Store — We wanted to store the tokens as well as user information in the session. Auth0 SDK provides an interface to implement a custom session store, so we create one. It is populated by a Session object from Nette Dependency Injection and uses that object to store key-value pairs received by the authorization flow. The login in the store also works around the starting of a session where Auth0 executes the code sooner than Nette starts to initialize its Session object.

The 1.1 version of the extension initializes the session store by default and injects it into the Auth0 client. In order to disable the persistence, you may always declare the store = FALSE, or set FALSE for respective key stored in the store.

What next?

To fully cover the features of the Auth0 client in Nette, we still miss a Nette implementation for SessionStateHandler. That is a last part currently disabled as it touches the PHP session directly.

For a more ready-made implementation, we could pack an Auth0 Nette Authenticator so the developers do not need to repeat the code. The same goes with a presenter initiating the login process.