Get authenticated user with Laravel Passport and grant password
Solution 1
You forgot the appropriate middleware.
Route::get('/user', function(Request $request) {
return Auth::user();
})->middleware('auth:api');
The authentication flow is not fired when you don't mention the auth
middleware. That's why you get null
.
Solution 2
I had the same problem with you. And i solved it after I manually defined the auth guard.
Route::get('/user', function (Request $request) {
return auth()->guard('api')->user();
});
Solution 3
You need to pass the Access token back with every request. Please check the documentation for this part here
Related videos on Youtube
Asier Paz
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Updated on July 09, 2022Comments
-
Asier Paz almost 2 years
I did an API REST with Laravel and now I'm trying to consume it. The thing is I need to authenticate users in the API and I am using the Password Grant method. I can authenticate users correctly and I can get an access token but from then, I don't see a way to retrieve the authenticated user with the access token in my consuming application.
I tried in the API with a route like this:
Route::get('/user', function(Request $request) { $user = $request->user(); // Even with $user = Auth::user(); return $user; });
No dice. I am reading Passport code but I can't figure it out. My guess is that I would need to specify a new guard type or something because It doesn't seem that Laravel Passport provides one for this kind of grant type...
To clarify things:
- I have an API REST application, which is the oAuth2 Server.
- I have another application consuming the API REST.
- I do know the workflow. In my case, with Password Grant, I get the user credentials in my consumer application, then I make a request to /oauth/token specifying the grant_type to password, I provide the user credentials along with my client credentials, which I am sure they were generated with "php artisan passport:client --password" (note the --password option)
- I can get the access token with no problems. What I need now, is to get a JSON representation of the user I just authenticated from the API REST. But here is the problem: I just have an access token. Nothing I can relate with the user.
Or can I? Maybe I can extend the method that authenticates password grant requests to relate the generated access token to the user it is authenticating... *light bulb turns on*
Consuming application test code:
try { $client = new Client(); $result = $client->post('https://myapi.com/oauth/token', [ 'form_params' => [ 'grant_type' => 'password', 'client_id' => '5', 'client_secret' => 'my_secret', 'username' => 'user_I_am_authenticating', 'password' => 'the_user_password', 'scope' => '', ] ]); $access_token = json_decode((string) $result->getBody(), true)['access_token']; $result = $client->get('https://myapi.com/client/user', [ 'headers' => [ 'Content-Type' => 'application/json', 'Accept' => 'application/json', 'Authorization' => "Bearer $access_token", ] ]); return (string) $result->getBody(); } catch (GuzzleException $e) { return "Exception!: " . $e->getMessage(); }
Note that https://myapi.com/client/user route is just a route I made for testing in the API. That route is defined as:
Route::get('/user', function(Request $request) { return $request->user(); });
Now. I know this is not working. This is what I want to achieve. Know the user making the request given the access_token/bearer_token.
-
Mina Abadir over 7 yearsWould you add the client-side code and the error you receive? Is it 404?
-
Asier Paz over 7 yearsI can add the code. But as I said, I am not having any error. I make a request to wichever route in the API I want, the thing is that in my API route I want to know in wich user behalf the client is making the request.
-
Mina Abadir over 7 yearsYou mean, you want to know the Logged in user?
-
Asier Paz over 7 yearsYes. The consuming application is using a grant type that is much like client_credentials. That means that the application is making requests on its own behalf. But for users, there is the authorization method, and the password grant. These make requests on the authorized user's behalf.
-
Mike almost 6 yearsI have found an easy solution, but not really sure it is the correct way to go... Wrap your route
/user
in a groupmiddleware => ['web', 'auth:api']
-
Yahya Uddin about 6 yearsBut what happens if authentication is optional. i.e. authenticated users see this, and unuthenticated users see something else