Why are domain, client_id, client_secret, and cookie_secret required even when using the "api" strategy?

[benjamin-cohen-solal-believe]

Hi team,

I'm using auth0/symfony to secure a Symfony API that only validates incoming JWT access tokens (no login flow, no token exchange).
According to the documentation, the "api" strategy is meant for this use case — yet the bundle still requires the following configuration fields:

auth0:
sdk:
strategy: "api"
domain: "%env(trim:string:AUTH0_DOMAIN)%"
client_id: "%env(trim:string:AUTH0_CLIENT_ID)%"
client_secret: "%env(trim:string:AUTH0_CLIENT_SECRET)%"
cookie_secret: "%kernel.secret%"

If I omit any of them, I get this error:
The child config "client_secret" under "auth0.sdk" must be configured.

Given that the API strategy doesn’t perform any OAuth exchange or use cookies, could you clarify:

• Why these parameters are required at configuration time?
• Would it make sense to make them optional when "strategy": "api" is set?

Thanks in advance for your clarification!

Best,
Ben

[kishore7snehil]

Hi @benjamin-cohen-solal-believe,

You've identified a valid configuration issue, and your questions get to the heart of the problem.

Answering Your Questions

Q1: Why are these parameters required at configuration time for API strategy?

Short answer: They shouldn't be.
This is a design oversight in the Symfony bundle wrapper, as the underlying Auth0 PHP SDK it uses does correctly support strategy-specific requirements.

The API strategy only needs:

• domain (to fetch JWKS for token signature validation)
• audiences (to validate the token's aud claim)

Q2: Would it make sense to make them optional when "strategy": "api" is set?

Absolutely yes.

Current Workaround

Until this is fixed, you can use dummy values since they're ignored:

auth0:
  sdk:
    strategy: "api"
    domain: "%env(AUTH0_DOMAIN)%"
    client_id: "not-used"      # Ignored by API strategy
    client_secret: "not-used"  # Ignored by API strategy  
    cookie_secret: "not-used"  # Ignored by API strategy
    audiences:
      - "%env(AUTH0_API_AUDIENCE)%"

The ideal solution is to refactor the config/definition.php file to make the configuration requirements conditional based on the strategy value. This would make the bundle more intuitive and align it perfectly with the underlying SDK's capabilities.

Unfortunately, my current bandwidth is limited, and I won't be able to prioritize a fix for this in the near future.

This seems like a great opportunity for a community contribution. If you (or anyone else reading this) would be interested in submitting a Pull Request to implement this conditional logic, we would be happy to review it and guide you through the process. It would be a valuable improvement for the bundle.

Thanks again for bringing this to our attention! We'll track this as a known issue.