How to use Laravel Passport with Password Grant Tokens?
Solution 1
If you are consuming your own api then you don't need to call http://example.com/oauth/token for user login because then you need to store client_id and client_secret at app side. Better you create an api for login and there you can check the credentials and generate the personal token.
public function login(Request $request)
{
$credentials = $request->only('email', 'password');
if (Auth::attempt($credentials)) {
// Authentication passed...
$user = Auth::user();
$token = $user->createToken('Token Name')->accessToken;
return response()->json($token);
}
}
Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example: oauth/clients*, oauth/personal-access-tokens* is there a way to remove them from the endpoints published by passport?
You need to remove Passport::routes();
from AuthServiceProvider and manually put only required passport routes. I think you only need oauth/token
route.
what exactly is "The-App" value for?
if you check oauth_access_tokens table it has name field. $user->createToken('Token Name')->accessToken;
here the "Token Name" stored in name field.
How to use Laravel Passport with Password Grant Tokens?
To generate password grant token you have to store client_id
and client_secret
at app side (not recommended, check this ) and suppose if you have to reset the client_secret
then the old version app stop working, these are the problems. To generate password grant token you have to call this api like you mention in step 3.
$http = new GuzzleHttp\Client;
$response = $http->post('http://your-app.com/oauth/token', [
'form_params' => [
'grant_type' => 'password',
'client_id' => 'client-id',
'client_secret' => 'client-secret',
'username' => '[email protected]',
'password' => 'my-password',
'scope' => '',
],
]);
return json_decode((string) $response->getBody(), true);
Generate token from
refresh_token
$http = new GuzzleHttp\Client;
$response = $http->post('http://your-app.com/oauth/token', [
'form_params' => [
'grant_type' => 'refresh_token',
'refresh_token' => 'the-refresh-token',
'client_id' => 'client-id',
'client_secret' => 'client-secret',
'scope' => '',
],
]);
return json_decode((string) $response->getBody(), true);
You can look this https://laravel.com/docs/5.6/passport#implicit-grant-tokens too.
Solution 2
Tackling Question 5
Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example:
oauth/clients*
,oauth/personal-access-tokens*
is there a way to remove them from the endpoints published by passport?
Passport::routes($callback = null, array $options = [])
takes an optional $callback
function and optional $options
argument.
The callback function takes a $router
argument from which you can then choose which routes to install as shown below in your AuthServiceProvider.php
that is enabling a more granular configuration:
Passport::routes(function ($router) {
$router->forAccessTokens();
$router->forPersonalAccessTokens();
$router->forTransientTokens();
});
Passport::tokensExpireIn(Carbon::now()->addMinutes(10));
Passport::refreshTokensExpireIn(Carbon::now()->addDays(10));
This way we only create the passport routes that we need.
forAccessTokens()
; enable us to create access tokens.
forPersonalAccessTokens()
; enable us to create personal tokens although we will not use this in this article. Lastly,
forTransientTokens()
; creates the route for refreshing tokens.
If you run php artisan route:list
you can see the new endpoints installed by Laravel Passport.
| POST | oauth/token | \Laravel\Passport\Http\Controllers\AccessTokenController@issueToken
| POST | oauth/token/refresh | \Laravel\Passport\Http\Controllers\TransientTokenController@refresh
Related videos on Youtube
JohnnyAce
Updated on July 15, 2022Comments
-
JohnnyAce almost 2 years
I just read the https://laravel.com/docs/5.6/passport documentation and I have some doubts that hopefully someone could help me with:
First, some context, I want to use Passport as a way to provide Oauth authentication for my mobile app (first-party app).
When I use
php artisan passport:client --password
I get back a Client ID and a Client Secret. Does this value have to be fixed on my app? for example storing them hardcoded or as a "settings" file? If the values shouldn't be stored then how should it work?To register a user to my app I use:
$user->createToken('The-App')->accessToken;
I get that the accessToken will be the one used for sending on all my requests as a Header (Authorization => Bearer $accessToken) but what exactly is "The-App" value for?-
For login the user I'm using the URL: http://example.com/oauth/token and sending as parameters:
{ "username": "[email protected]", "password": "userpassword", "grant_type": "password", "client_id": 1, // The Client ID that I got from the command (question 1) "client_secret": "Shhh" // The Client Secret that I got from the command (question 1) }
-
When I login the user using the previous endpoint I get back a refresh_token, I read that I could refresh the token through http://example.com/oauth/token/refresh but I try to request the refresh I got Error 419, I removed the url oauth/token/refresh from the csrf verification and now I get back
"message": "Unauthenticated."
, I'm making the following request:Content-Type: x-www-form-urlencoded grant_type: refresh_token refresh_token: the-refresh-token // The Refresh Token that I got from the command (question 3) client_id: 1 // The Client ID that I got from the command (question 1) client_secret: Shhh // The Client Secret that I got from the command (question 1) scope: ''
Should I use this endpoint? or is not necessary given the app I'm trying to develop.
- Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example:
oauth/clients*
,oauth/personal-access-tokens*
is there a way to remove them from the endpoints published by passport?
Thanks a lot for your help!
-
Wellwisher almost 6 yearsFor password grant you cannot use
$user->createToken('The-App')->accessToken;
for generating access token -
JohnnyAce almost 6 yearsHi @Wellwisher can you tell me why I can not use that option?
-
Wellwisher almost 6 yearsThat option is for generating personal access token and in your code you have used the password grand. To generate token use this method laravel.com/docs/5.6/passport#requesting-password-grant-tokens
-
Jagadesha NH almost 6 yearsjagadeshanh.wordpress.com/2016/12/27/… wrote this little long ago. Still it can be used as a reference.
-
amansoni211 over 5 yearsjust curious, I have been consuming APIs since years, API providers always give the client_id and client_secret for authentication. why do we need email and password here in laravel passport?
-
rkj over 5 years@amansoni211 yes you are right but in that case we generally call those api from server side. Here the question is to use the
client_id
andclient_secrect
at app side and for that you can not store it at client side. Hope it may clear you -
amansoni211 over 5 years@rkj Well explained, Thanks. What method of authentication would you suggest [in passport] if need to expose my api to business partners who will eventually access my APIs from their web servers?