laravel passport: how to validate bearer authorization code - without sign in

laravel laravel-5 oauth oauth-2.0 laravel-passport

11,966

Try this and let me know if any error occurs.

Add the following in App/Http/Kernel.php file in protected $routeMiddleware array:

'client.credentials' => \Laravel\Passport\Http\Middleware\CheckClientCredentials::class,

Now in your controller add the following in the beginning:

public function __construct()
{
   $this->middleware('client.credentials')->only(['']);
}

add your function names in the array to check if the request has an Authorization header with a token for the function.You do not need to do anything else.

You can check after, using postman with an incorrect token an error will return from the api as the result.

Also as a tip , do not put your "client_secret" on client side , it should not get in the wrong hands.

Use the following to generate a token for the user:

$user = User::where('email',$email)->where('password',$password)->firstOrFail();
$token = $user->createToken('Token')->accessToken;

11,966

AnD

hello world :)

Updated on June 04, 2022

Comments

AnD almost 2 years

I did request:

{
    "grant_type": "client_credentials",
    "client_id": 8,
    "client_secret": "XXNKXXqJjfzG8XXSvXX1Q4pxxnkXmp8tT8TXXKXX",
    "redirect_uri": "",
    "scope": "*"
}

Then received response below:

{
    "token_type": "Bearer",
    "expires_in": 31536000,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGcXXXJSUzI1NiIsImp0aSI6ImEzYjJhZmU5OTYzMTE5MDAyZDAwZmEzNzU0ZGY3ZTRkMTgwYzhlYWRmNGQyOGU5MTI4YjAyYjJmYWQxZjY1NjUzMzAyZjNlZTI4MTgxMDFhIn0.eyJhdWQiOiI4IiwianRpIjoiYTNiMmFmZTk5NjMxMTkwMDJkMXXXYTM3XXXkZjdlNGQxODBjOGVhZGY0ZDI4ZTkxMjhiMDJiMmZhZDFmNjU2NTMzMDJmM2VlMjgxODEwMWEiLCJpYXQiOjE1NDAwMTQxNTUsIm5iZiI6MTU0MDAxNDE1NSwiZXhwIjoxNTcxNTUwMTU1LCJzdWIiOiIiLCJzY29wZXMiOltdfQ.sNSYywfBf27yAojqZclpjliysbQARlYFktzanTMecXXXIai5DgJY0sKhGpHktP5cqirYdemoFKy2nOxzZ8g29gCQQ63zmxe3vpbDz1GAdrjCDWoUlwSXXXHx4VIsdSIzVdi9XyvPKaLKMdoL6nFeWgpgXKGIvHKdiHjKgQbY_08Qa6JMN5Up27qmIOQoXJNAf1nuXvBMabUU_Js7VNspwPfdC8nMZ5zhK1A_c32_lDRtHqkhDfqqBXdUB-inx-zixhn2ODC4b4tkdj7XXXXlVKFxHxKM3aVOMFlmKhypSDwIUB0dPsN8iHcLzkl1yjzRQcOvQEj5BXWLkLCPdkiX2YJuFiWGUm_nxiYoIRV3ptJDeBI5OJI870JTOwBfJePrHTbXmhbjNSQSflLtiOV34wbPQZWH3KMKcsGVYvXXX3rcO5cbZWeeJLGPPYYO-_AWDmdAm-Qsb6Tw1sPxEZRw0dw3zBHnLVrEK9GXXXN2U5wE9Ka3id8ecOJSXSD39X1PyZUB9dJTidmbiWYWgskSTsqLuWfzXXXtlXkb1iOO37kT_Y5zr71Wp1RJ1Fp38yIyHI6fR9hKqeNALSqhv2ALmcSMQsFGTtPG98lGulu-vRJJhgMJ3C3fSTljN7o9BM7Jz-h0ymxC8sSMSNsXakK1qu40vD40zRJMB09sBPjIAVo"
}

which i suppose to use it in authorization header to consume my API, as follow:

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGcXXXJSUzI1NiIsImp0aSI6ImEzYjJhZmU5OTYzMTE5MDAyZDAwZmEzNzU0ZGY3ZTRkMTgwYzhlYWRmNGQyOGU5MTI4YjAyYjJmYWQxZjY1NjUzMzAyZjNlZTI4MTgxMDFhIn0.eyJhdWQiOiI4IiwianRpIjoiYTNiMmFmZTk5NjMxMTkwMDJkMXXXYTM3XXXkZjdlNGQxODBjOGVhZGY0ZDI4ZTkxMjhiMDJiMmZhZDFmNjU2NTMzMDJmM2VlMjgxODEwMWEiLCJpYXQiOjE1NDAwMTQxNTUsIm5iZiI6MTU0MDAxNDE1NSwiZXhwIjoxNTcxNTUwMTU1LCJzdWIiOiIiLCJzY29wZXMiOltdfQ.sNSYywfBf27yAojqZclpjliysbQARlYFktzanTMecXXXIai5DgJY0sKhGpHktP5cqirYdemoFKy2nOxzZ8g29gCQQ63zmxe3vpbDz1GAdrjCDWoUlwSXXXHx4VIsdSIzVdi9XyvPKaLKMdoL6nFeWgpgXKGIvHKdiHjKgQbY_08Qa6JMN5Up27qmIOQoXJNAf1nuXvBMabUU_Js7VNspwPfdC8nMZ5zhK1A_c32_lDRtHqkhDfqqBXdUB-inx-zixhn2ODC4b4tkdj7XXXXlVKFxHxKM3aVOMFlmKhypSDwIUB0dPsN8iHcLzkl1yjzRQcOvQEj5BXWLkLCPdkiX2YJuFiWGUm_nxiYoIRV3ptJDeBI5OJI870JTOwBfJePrHTbXmhbjNSQSflLtiOV34wbPQZWH3KMKcsGVYvXXX3rcO5cbZWeeJLGPPYYO-_AWDmdAm-Qsb6Tw1sPxEZRw0dw3zBHnLVrEK9GXXXN2U5wE9Ka3id8ecOJSXSD39X1PyZUB9dJTidmbiWYWgskSTsqLuWfzXXXtlXkb1iOO37kT_Y5zr71Wp1RJ1Fp38yIyHI6fR9hKqeNALSqhv2ALmcSMQsFGTtPG98lGulu-vRJJhgMJ3C3fSTljN7o9BM7Jz-h0ymxC8sSMSNsXakK1qu40vD40zRJMB09sBPjIAVo
Accept:application/json
Content-Type:application/json

I'm able to catch the bearer token with: $token = $request->bearerToken(); in my controller

But I have difficulties to validate it, anyone know how to validate that token?

what i'm trying to achieve is quite simple, if the Bearer token valid then continue... if not then throw 403.

**I'm not using user authentication (no user) so I can't put middleware Auth::api in route (unless you tell me this is possible to validate token only without user).*

AnD over 5 years

Thanks for the answer, if I don't put the client secret at the client, how do I request token? and may check something, is it possible to make this under middleware? so i could just do: Route::group(['middleware' => 'auth:token'] in my route. anyway, your answer is works!
Amir over 5 years

Your welcome , you can create a separate controller for handling tokens such as revoking tokens / creating tokens functions. and then you can add a post route in api routes and link it to the createtokenfunction in the controller and in that function user email , user password & user id is required after that you can create a token just like i told you above and return it as a response from the function.So basically when a user logs in you call that function from another ajax request or you can put the token generation code in the same login function and return. did you understand?
AnD over 5 years

well, my client is native mobile app. and for the very first time the app running in the phone, I need to validate that it is really my app that accessing the API, by sending secret that i described in my question above. so with that (i hope) i can validate my app. (i know keeping secret in mobile app is not safe - but at least this what i can think of as of now) so after the app validated, the subsequest request to consume my API will be use Bearer Token (and this will include authentication - which im going to use social login)
Amir over 5 years

Well then merge your client information in a middleware do not put it on your client side. or use CORS if possible.