I just read the https://laravel.com/docs/5.6/passport documentation and I have some doubts that hopefully someone could help me with: First, some context, I want to use Passport as a way to provide Oauth authentication for my mobile app (first-party app). <ol> <li>When I use <code>php artisan passport:client --password</code> I get back a Client ID and a Client Secret. Does this value have to be fixed on my app? for example storing them hardcoded or as a "settings" file? If the values shouldn't be stored then how should it work?</li> <li>To register a user to my app I use: <code>$user->createToken('The-App')->accessToken;</code> I get that the accessToken will be the one used for sending on all my requests as a Header (Authorization => Bearer $accessToken) but what exactly is "The-App" value for?</li> <li> For login the user I'm using the URL: http://example.com/oauth/token and sending as parameters: { "username": "user@email.com", "password": "userpassword", "grant_type": "password", "client_id": 1, // The Client ID that I got from the command (question 1) "client_secret": "Shhh" // The Client Secret that I got from the command (question 1) } </li> <li> When I login the user using the previous endpoint I get back a refresh_token, I read that I could refresh the token through http://example.com/oauth/token/refresh but I try to request the refresh I got Error 419, I removed the url oauth/token/refresh from the csrf verification and now I get back <code>"message": "Unauthenticated."</code>, I'm making the following request: Content-Type: x-www-form-urlencoded grant_type: refresh_token refresh_token: the-refresh-token // The Refresh Token that I got from the command (question 3) client_id: 1 // The Client ID that I got from the command (question 1) client_secret: Shhh // The Client Secret that I got from the command (question 1) scope: '' </li> </ol> Should I use this endpoint? or is not necessary given the app I'm trying to develop. <ol start="5"> <li>Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example: <code>oauth/clients*</code>, <code>oauth/personal-access-tokens*</code> is there a way to remove them from the endpoints published by passport?</li> </ol> Thanks a lot for your help!

If you are consuming your own api then you don't need to call http://example.com/oauth/token for user login because then you need to store client_id and client_secret at app side. Better you create an api for login and there you can check the credentials and generate the personal token. <pre class="prettyprint"><code>public function login(Request $request) { $credentials = $request->only('email', 'password'); if (Auth::attempt($credentials)) { // Authentication passed... $user = Auth::user(); $token = $user->createToken('Token Name')->accessToken; return response()->json($token); } } </code></pre> <blockquote> Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example: oauth/clients*, oauth/personal-access-tokens* is there a way to remove them from the endpoints published by passport? </blockquote> You need to remove <code>Passport::routes();</code> from AuthServiceProvider and manually put only required passport routes. I think you only need <code>oauth/token</code> route. <blockquote> what exactly is "The-App" value for? </blockquote> if you check oauth_access_tokens table it has name field. <code>$user->createToken('Token Name')->accessToken;</code> here the "Token Name" stored in name field. <blockquote> How to use Laravel Passport with Password Grant Tokens? </blockquote> To generate password grant token you have to store <code>client_id</code> and <code>client_secret</code> at app side (not recommended, check this ) and suppose if you have to reset the <code>client_secret</code> then the old version app stop working, these are the problems. To generate password grant token you have to call this api like you mention in step 3. <pre class="prettyprint"><code>$http = new GuzzleHttp\Client; $response = $http->post('http://your-app.com/oauth/token', [ 'form_params' => [ 'grant_type' => 'password', 'client_id' => 'client-id', 'client_secret' => 'client-secret', 'username' => 'taylor@laravel.com', 'password' => 'my-password', 'scope' => '', ], ]); return json_decode((string) $response->getBody(), true); </code></pre> <blockquote> Generate token from <code>refresh_token</code> </blockquote> <pre class="prettyprint"><code>$http = new GuzzleHttp\Client; $response = $http->post('http://your-app.com/oauth/token', [ 'form_params' => [ 'grant_type' => 'refresh_token', 'refresh_token' => 'the-refresh-token', 'client_id' => 'client-id', 'client_secret' => 'client-secret', 'scope' => '', ], ]); return json_decode((string) $response->getBody(), true); </code></pre> You can look this https://laravel.com/docs/5.6/passport#implicit-grant-tokens too.

How to use Laravel Passport with Password Grant Tokens?

Tags:

I just read the https://laravel.com/docs/5.6/passport documentation and I have some doubts that hopefully someone could help me with:

First, some context, I want to use Passport as a way to provide Oauth authentication for my mobile app (first-party app).

When I use php artisan passport:client --password I get back a Client ID and a Client Secret. Does this value have to be fixed on my app? for example storing them hardcoded or as a "settings" file? If the values shouldn't be stored then how should it work?
To register a user to my app I use: $user->createToken('The-App')->accessToken; I get that the accessToken will be the one used for sending on all my requests as a Header (Authorization => Bearer $accessToken) but what exactly is "The-App" value for?
For login the user I'm using the URL: http://example.com/oauth/token and sending as parameters:

{ "username": "[email protected]", "password": "userpassword", "grant_type": "password", "client_id": 1, // The Client ID that I got from the command (question 1) "client_secret": "Shhh" // The Client Secret that I got from the command (question 1) }
When I login the user using the previous endpoint I get back a refresh_token, I read that I could refresh the token through http://example.com/oauth/token/refresh but I try to request the refresh I got Error 419, I removed the url oauth/token/refresh from the csrf verification and now I get back "message": "Unauthenticated.", I'm making the following request:

Content-Type: x-www-form-urlencoded grant_type: refresh_token refresh_token: the-refresh-token // The Refresh Token that I got from the command (question 3) client_id: 1 // The Client ID that I got from the command (question 1) client_secret: Shhh // The Client Secret that I got from the command (question 1) scope: ''

Should I use this endpoint? or is not necessary given the app I'm trying to develop.

Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example: oauth/clients*, oauth/personal-access-tokens* is there a way to remove them from the endpoints published by passport?

Thanks a lot for your help!

396

asked Jun 14 '18 02:06

JohnnyAce

1 Answers

If you are consuming your own api then you don't need to call http://example.com/oauth/token for user login because then you need to store client_id and client_secret at app side. Better you create an api for login and there you can check the credentials and generate the personal token.

public function login(Request $request) {         $credentials = $request->only('email', 'password');          if (Auth::attempt($credentials)) {             // Authentication passed...              $user = Auth::user();              $token = $user->createToken('Token Name')->accessToken;              return response()->json($token);         } }

Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example: oauth/clients*, oauth/personal-access-tokens* is there a way to remove them from the endpoints published by passport?

You need to remove Passport::routes(); from AuthServiceProvider and manually put only required passport routes. I think you only need oauth/token route.

what exactly is "The-App" value for?

if you check oauth_access_tokens table it has name field. $user->createToken('Token Name')->accessToken; here the "Token Name" stored in name field.

How to use Laravel Passport with Password Grant Tokens?

To generate password grant token you have to store client_id and client_secret at app side (not recommended, check this ) and suppose if you have to reset the client_secret then the old version app stop working, these are the problems. To generate password grant token you have to call this api like you mention in step 3.

$http = new GuzzleHttp\Client;  $response = $http->post('http://your-app.com/oauth/token', [     'form_params' => [         'grant_type' => 'password',         'client_id' => 'client-id',         'client_secret' => 'client-secret',         'username' => '[email protected]',         'password' => 'my-password',         'scope' => '',     ], ]);  return json_decode((string) $response->getBody(), true);

Generate token from refresh_token

$http = new GuzzleHttp\Client;  $response = $http->post('http://your-app.com/oauth/token', [     'form_params' => [         'grant_type' => 'refresh_token',         'refresh_token' => 'the-refresh-token',         'client_id' => 'client-id',         'client_secret' => 'client-secret',         'scope' => '',     ], ]);  return json_decode((string) $response->getBody(), true);

You can look this https://laravel.com/docs/5.6/passport#implicit-grant-tokens too.

177

answered Sep 20 '22 11:09

rkj

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

How to use Laravel Passport with Password Grant Tokens?

Tags:

JohnnyAce

People also ask

1 Answers

rkj

Recent Activity

Donate For Us

How to use Laravel Passport with Password Grant Tokens?

Tags:

JohnnyAce

People also ask

1 Answers

rkj

Related questions

Recent Activity

Donate For Us