Menu
I am trying to figure out how to handle the Password Grant Tokens in Passport package. Should i store the client_id and client_secret in .env file or fetch the values direct from the database while requesting for a the token?
904
@vincent15000 Passport is an OAuth server implementation, and used to offer OAuth authorisation for your application. Sanctum is an authentication library for “simpler” token-based authentication for clients that need it (i.e. mobile apps) but also offers cookie-based authentication for SPAs.
You can store this token in local storage. This token is also stored in the oauth_access_tokens table. We will be sending a GET request to your URL and we need to send it token as Authorization Header. Above way successive technologies can do API authentication in Laravel Application with a passport.
Requesting Tokens Once you have created a password grant client, you may request an access token by issuing a POST request to the /oauth/token route with the user's email address and password. Remember, this route is already registered by the Passport::routes method so there is no need to define it manually.
It depends on what you are finally trying to achieve.
Passport tokens are always stored in DB, and this is the right place to retrieve them (unless you are optimizing your production app, to gain less db load).
So, if you want to build an api endpoint, you can safely store PASSPORT_CLIENT_ID in your .env.
And then, in your controller, you can easily retrieve all data that you may need.
How to do it? Please read my post, on how you can embed this in your laravel controller.
Passport is built on top of oauth2 server which has loads of features.
Most likely you won't need them all, so you can stick to the basic jwt authorization as in this case.
This approach would enable you to test your code against different CI environments, while not sharing any specific keys/tokens in your VCS, which is definitely a good practice.
Final note... Passport makes packages like dingo, tymon jwt, etc.. useless, cause it has almost everything packed in, and what really important is, this is the official Laravel package.
96
While you certainly can store the values inside your .env file, you should think these tokens as secrets you grant to other developers who want to use your API. What if everyday 50 developers want to register to use your API, will you add them by hand to your .env file? If it's only you / your company this kan be "ok", but I would store them in the database for scalability.
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
