tobes1d ago

Part three in the delegated access series.

The approval flow: FGA resolves the approver, Auth0 CIBA sends a Guardian push, approval creates a delegation. Also: why CIBA consent does not persist across sessions, and why that's fine.

https://tobytes.com/articles/delegated-access-approval-auth0-ciba

#Auth0 #CIBA #Identity #FGA

Delegated access part three: approval flows and Auth0 CIBA

The previous post covered how a patient proactively grants a carer access to their record. This post covers the inverse: a user requests access they do not yet have, and the account holder approves it in real time using Auth0's Client-Initiated Backchannel Authentication.

tobes3d ago

Second post in the series on delegated access — the implementation side.

How Auth0, Auth0 FGA and an application data store fit together: the authorisation model, the delegation lifecycle, MFA step-up, and an on-behalf-of token where sub=patient and act.sub=carer.

https://tobytes.com/articles/implementing-delegated-access-auth0-fga

#Auth0 #FGA #Identity

Implementing delegated access with Auth0 and Auth0 FGA

The first post in this series covered why separating the authenticated actor from the account they are acting within matters. This post covers how to build it: the data model, the integration points between Auth0, Auth0 FGA and a standard application data store, and the key flows from delegation grant through to acting on someone else's behalf.

tobes4d ago

Auth0 has three session layers, four refresh token variants, DPoP, back-channel logout, a Session Management API, and Actions that can override all of it at runtime.

Every option explained with pros/cons and when to combine them.

https://tobytes.com/articles/auth0-session-token-management-options-explained

#Auth0 #Identity #OAuth

Auth0 Session and Token Management: Every Option Explained

Auth0 gives you a lot of knobs to turn when it comes to sessions and tokens — enough that the choices start to blur together. This post maps out every option, what it does, when you'd reach for it, and how they work together for different application types.

IAMDevBox5d ago

Learn how to implement Auth0 PKCE for secure authorization in Single Page Applications. Enhance your app's security today!

https://iamdevbox.com/posts/auth0-pkce-implementation-secure-authorization-code-flow-for-spas/?utm_source=mastodon&utm_medium=social&utm_campaign=blog_post

#auth0 #pkce #spas #security

Jess Temporal5d ago

"it works" and "it's secure" are not the same thing with auth, especially when an AI wrote the code 😅

the #Auth0 plugin for Cursor exists so the generated code clears both bars 👀 https://cursor.com/marketplace/auth0

Auth0 | Cursor Plugins

Auth0 skills for quickstarts, migration, MFA, branding, custom domains, Advanced Custom Universal Login (ACUL) screen generation, and framework-specific S…

Terence Eden5d ago

🆕 blog! “Auth0 PHP - manually authenticating JWT idTokens”

I find it baffling just how poorly documented most big projects are. Auth0 by Okta has a fair bit of cash, lots of customers, and almost completely absent documentation.

Here's how to successfully authenticate a JWT supplied by Auth0.

Once your user has authenticated with Auth0, they will be given an…

👀 Read more: https://shkspr.mobi/blog/2026/06/auth0-php-manually-authenticating-tokens/

#Auth0 #HowTo #php #Symfony

Auth0 PHP - manually authenticating JWT idTokens

I find it baffling just how poorly documented most big projects are. Auth0 by Okta has a fair bit of cash, lots of customers, and almost completely absent documentation. Here's how to successfully authenticate a JWT supplied by Auth0. Once your user has authenticated with Auth0, they will be given an accessToken and an idToken. Only the idToken is needed for our purposes. It will look…

Terence Eden’s Blog
Terence Eden’s Blog5d ago

Auth0 PHP - manually authenticating JWT idTokens

https://shkspr.mobi/blog/2026/06/auth0-php-manually-authenticating-tokens/

I find it baffling just how poorly documented most big projects are. Auth0 by Okta has a fair bit of cash, lots of customers, and almost completely absent documentation.

Here's how to successfully authenticate a JWT supplied by Auth0.

Once your user has authenticated with Auth0, they will be given an accessToken and an idToken. Only the idToken is needed for our purposes.

It will look something like this:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFiYzEyMyJ9.eyJnaXZlbl9uYW1lIjoiSm8iLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJuaWNrbmFtZSI6IkpvVGVzdCIsIm5hbWUiOiJKbyBMZSBUZXN0IiwicGljdHVyZSI6Imh0dHBzOi8vZXhhbXBsZS5jb20vam8ucG5nIiwidXBkYXRlZF9hdCI6IjIwMjYtMDQtMjhUMTM6NTk6NTUuNjcxWiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJpc3MiOiJodHRwczovL2V4YW1wbGUuZXUuYXV0aDAuY29tLyIsImF1ZCI6ImFiYzEyMyIsInN1YiI6ImZhY2Vib29rfDEyMzQ1NiIsImlhdCI6MTc3NzM4NDc5NiwiZXhwIjoxNzc3NDIwNzk2LCJzaWQiOiJhYmMxMjMtNDU2LWRlZmdoaWprIiwibm9uY2UiOiIxMjM0NTY3ODkwIn0.ZgnZxOOtfczLewlm_agK6mJMYetVTZrHlBlu5qzXbADlhvZB8RraVuFKmFutLZLibMQxz_RY0oh4hRufVWDHJ0kuocW38kRHztDg7R5KOfvJEM46WW49xvhLhKprzkx9WXDDlpCRNL0QbBK2U0F1VjmRpTp1Q5cHEd8PBsa4rGAhfqudXp5JrC2Lm5e7ji0AQ_s7HJhy59b9mTb3tMqHGsrWDZS915zHPYEQtSvg5o9sSx1tCRfsyL6kdsdkaTffQjJDUrT5hpIQ-2_9tGuqioJjP4c0edQ85TaK9UnSxfzMQ8gYez963kbo_Iv1fJyaTVwXR-AVvwK-CeGJAFrheQ

Yeuch! If you stick it into JWT.io you'll see that it is Base64 encoded JSON containing a header, body, and signature. Each part is separated by a . character.

You could manually decode it, but that's a bit of a pain in the arse. So here's how to do it with the Auth0 PHP library. I'm using the Symfony one, but it should all be fairly similar.

First, import the library:

PHPuse Auth0\SDK\Auth0;

Next, you'll need to send the token to the PHP. You can do this in a header, GET, or similar:

PHP$authHeader = $request->headers->get("Auth0-Authorization");

Then, set up Auth0 so that it can parse and validate the token:

PHPtry { $token = $authHeader; $auth0 = new Auth0([ "domain" => $_ENV["AUTH0_DOMAIN"], "clientId" => $_ENV["AUTH0_CLIENT_ID"], "clientSecret" => $_ENV["AUTH0_CLIENT_SECRET"], "cookieSecret" => "_" // Dummy value. ]); $decoded = $auth0->decode( token: $token, tokenType: \Auth0\SDK\Token::TYPE_ID_TOKEN, ); } catch (\Exception $e) { error_log("Auth0 Error - {$e}"); }

The cookieSecret must be set - even though you aren't using cookies. Any non-null value is fine.

The tokenType must also be set correctly.

Assuming you all goes well, you will have a decoded object which has validated against Auth0. So how do you get the user's details from it?

Well, you could split the original idToken at the period character and Base64 decode the middle one. Try it now to see what it contains! Or print_r() the decoded token to see it in all its cryptographic glory.

The easiest way is to do:

PHP$claims = $decoded->toArray();

Then you can access various properties by doing:

PHP$username = $claims["nickname"]; $identifier = $claims["sub"];

Perhaps there is a more official way - but I couldn't find anything in the documentation. Hurrah for reading source code!

#Auth0 #HowTo #php #Symfony
Auth0 PHP - manually authenticating JWT idTokens

I find it baffling just how poorly documented most big projects are. Auth0 by Okta has a fair bit of cash, lots of customers, and almost completely absent documentation. Here's how to successfully authenticate a JWT supplied by Auth0. Once your user has authenticated with Auth0, they will be given an accessToken and an idToken. Only the idToken is needed for our purposes. It will look…

Terence Eden’s Blog
Jess TemporalJun 22

ask #cursor to 'add login to my app' without the #auth0 plugin and the code compiles just fine… it might also ship 3 security holes an audit would flag on sight 😬

lemme walk through them 👇

Jess TemporalJun 17

New video in the #auth0 channel! 🍿🍿

This one's short (under 3 min) and shows the new dry-run feature in the Auth0 Deploy CLI, preview what a deploy will change before it runs 👀

Go check it out and let me know what you think, would you use this?

https://youtu.be/jGX2YlXHc7E

Preview Auth0 Changes Safely with Deploy CLI Dry Run

YouTube
tobesJun 16

Identity systems answer 'who are you?' well. They struggle with 'and who are you acting for?'

New post on delegated access — why separating the actor from the account matters across healthcare, financial services, telco and more, and how Auth0 + Auth0 FGA address the two sides of the problem.

https://tobytes.com/articles/acting-on-behalf-of-separating-actor-from-account

#Auth0 #FGA #Identity

Acting on behalf of: separating the actor from the account in modern identity

Identity systems are very good at answering one question: who are you? What they are less good at is the follow-up: and who are you acting for? In this post I will look at why separating the authenticated user from the account or person they are acting within is important, what it enables across a range of industries, and how Auth0 and Auth0 FGA address the two complementary sides of the problem.