Laravel Passport token lifetime

Question

I don't get what I'm doing wrong. I can't set token expiration time.

<?php

namespace App\Providers;

class AuthServiceProvider extends ServiceProvider
{
    public function boot()
    {
        $this->registerPolicies();

        Passport::tokensExpireIn(Carbon::now()->addDays(1));
        Passport::refreshTokensExpireIn(Carbon::now()->addDays(30));
    }
}

BUT when I call $user->createToken(), for example like this:

<?php
// as a demo
namespace App\Http\Middleware;

class ParseSpecialToken
{
    public function handle($request, Closure $next)
    {
        $user = User::find(1);
        $accessToken = $user->createToken('Some token')->accessToken;
        $request->headers->add(['Authorization' => 'Bearer '. $accessToken]);

        return $next($request);
    }
}

Token expiration is still 1 year, not 1 day. Why? How to change exp time?

Answer 1

Here are the methods used to update expiration time for all the grant types :

Personal access token:

public function boot(){
        $this->registerPolicies();

        Passport::routes();
        Passport::personalAccessTokensExpireIn(Carbon::now()->addHours(24));
        Passport::refreshTokensExpireIn(Carbon::now()->addDays(30));
}

Rest all

public function boot(){
        $this->registerPolicies();

        Passport::routes();
        Passport::tokensExpireIn(Carbon::now()->addHours(24));
        Passport::refreshTokensExpireIn(Carbon::now()->addDays(30));
}

Just update the above code in the boot method of AuthServiceProvider.

Answer 2

The createToken() method creates a Personal Access Token. By default, these tokens expire after 1 year (or 100 years, if created by laravel/passport <= 1.0.11). The expiration time for this type of token is not modified by the Passport::tokensExpireIn() or Passport::refreshTokensExpireIn() methods.

laravel/passport >= 7.0.4

Passport version 7.0.4 added a new method Passport::personalAccessTokensExpireIn() that allows you to update the expiration time for personal access tokens. If you are on this version or later, you can add this method call to your AuthServiceProvider::boot() method.

Passport::personalAccessTokensExpireIn(Carbon::now()->addDays(1));

laravel/passport < 7.0.4

If you are not yet on passport version 7.0.4, you can still modify the personal access token expiration time, but it is more manual. You will need to enable a new instance of the personal access grant with your desired expiration time. This can also be done in your AuthServiceProvider::boot() method.

$server = $this->app->make(\League\OAuth2\Server\AuthorizationServer::class);
$server->enableGrantType(new \Laravel\Passport\Bridge\PersonalAccessGrant(), new \DateInterval('P100Y'));

Note

Modifying the expires_at field in the database will not do anything. The real expiration date is stored inside the token itself. Also, attempting to modify the exp claim inside the JWT token will not work, since the token is signed and any modification to it will invalidate it. So, all your existing tokens will have their original expiration times, and there is no way to change that. If needed, you will need to regenerate new tokens.