Get authenticated user with Laravel Passport and grant password

php laravel-5 oauth-2.0 laravel-passport

29,304

Solution 1

You forgot the appropriate middleware.

Route::get('/user', function(Request $request) {
    return Auth::user();
})->middleware('auth:api');

The authentication flow is not fired when you don't mention the auth middleware. That's why you get null.

Solution 2

I had the same problem with you. And i solved it after I manually defined the auth guard.

Route::get('/user', function (Request $request) {
  return auth()->guard('api')->user();
});

Solution 3

You need to pass the Access token back with every request. Please check the documentation for this part here

29,304

Asier Paz

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Updated on July 09, 2022

Comments

Asier Paz almost 2 years
I did an API REST with Laravel and now I'm trying to consume it. The thing is I need to authenticate users in the API and I am using the Password Grant method. I can authenticate users correctly and I can get an access token but from then, I don't see a way to retrieve the authenticated user with the access token in my consuming application.

I tried in the API with a route like this:
```
Route::get('/user', function(Request $request) {
    $user = $request->user();
    // Even with
    $user = Auth::user();

    return $user;
});
```
No dice. I am reading Passport code but I can't figure it out. My guess is that I would need to specify a new guard type or something because It doesn't seem that Laravel Passport provides one for this kind of grant type...

To clarify things:
- I have an API REST application, which is the oAuth2 Server.
- I have another application consuming the API REST.
- I do know the workflow. In my case, with Password Grant, I get the user credentials in my consumer application, then I make a request to /oauth/token specifying the grant_type to password, I provide the user credentials along with my client credentials, which I am sure they were generated with "php artisan passport:client --password" (note the --password option)
- I can get the access token with no problems. What I need now, is to get a JSON representation of the user I just authenticated from the API REST. But here is the problem: I just have an access token. Nothing I can relate with the user.
Or can I? Maybe I can extend the method that authenticates password grant requests to relate the generated access token to the user it is authenticating... *light bulb turns on*

Consuming application test code:
```
try {
    $client = new Client();
    $result = $client->post('https://myapi.com/oauth/token', [
        'form_params' => [
            'grant_type' => 'password',
            'client_id' => '5',
            'client_secret' => 'my_secret',
            'username' => 'user_I_am_authenticating',
            'password' => 'the_user_password',
            'scope' => '',
        ]
    ]);
    $access_token = json_decode((string) $result->getBody(), true)['access_token'];
    $result = $client->get('https://myapi.com/client/user', [
        'headers' => [
            'Content-Type' => 'application/json',
            'Accept' => 'application/json',
            'Authorization' => "Bearer $access_token",
        ]
    ]);

    return (string) $result->getBody();
} catch (GuzzleException $e) {
    return "Exception!: " . $e->getMessage();
}
```
Note that https://myapi.com/client/user route is just a route I made for testing in the API. That route is defined as:
```
Route::get('/user', function(Request $request) {
    return $request->user();
});
```
Now. I know this is not working. This is what I want to achieve. Know the user making the request given the access_token/bearer_token.
- Mina Abadir over 7 years
  
  Would you add the client-side code and the error you receive? Is it 404?
- Asier Paz over 7 years
  
  I can add the code. But as I said, I am not having any error. I make a request to wichever route in the API I want, the thing is that in my API route I want to know in wich user behalf the client is making the request.
- Mina Abadir over 7 years
  
  You mean, you want to know the Logged in user?
- Asier Paz over 7 years
  
  Yes. The consuming application is using a grant type that is much like client_credentials. That means that the application is making requests on its own behalf. But for users, there is the authorization method, and the password grant. These make requests on the authorized user's behalf.
- Mike almost 6 years
  
  I have found an easy solution, but not really sure it is the correct way to go... Wrap your route /user in a group middleware => ['web', 'auth:api']
Yahya Uddin about 6 years

But what happens if authentication is optional. i.e. authenticated users see this, and unuthenticated users see something else