Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why should Client Creadentials be associated with a user in Laravel Passport?

I want to use Client Credentials to authenticate client applications to access the API.

My problem is with creating client credentials. Using php artisan passport:client requires me to enter a user_id to associate the client to that user. I don't get it. Why the client application has to be associated to a user?! Or Is there another way?

passport:client command only supports creating Password Grant Clients and Personal Grant Client. I don't think that any of them is what I need.

What I really need is to create client credentials that will only be used by the client application to authorize itself to access some APIs. How to do that?

like image 608
Meena Alfons Avatar asked Apr 30 '17 12:04

Meena Alfons


People also ask

How does Laravel Passport authentication work?

Laravel Passport is an easy way to set up an authentication system for your API. As a Laravel package, it uses an OAuth2 server to perform authentication, creating tokens for user applications that request to interface with the API it protects, and only granting them access if their tokens are validated.

What is Laravel Passport client?

Laravel Passport provides a full OAuth2 server implementation for your Laravel application in a matter of minutes. Passport is built on top of the League OAuth2 server that is maintained by Andy Millington and Simon Hamp. This documentation assumes you are already familiar with OAuth2.

What is OAuth client credentials?

The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service.

What is difference between JWT and Passport Laravel?

The "tymondesigns/jwt-auth" is a PHP Laravel implementation of the JWT protocol. On the other hand, Passport also uses JWT by default plus a huge extra, a complete Oauth2 implementation. Regarding the functionality, as I said they both use JWT thus you can use whichever you like to authentication via tokens.


1 Answers

I assume you want to use machine-to-machine authentication (no user interactions)

I would recommend to read through the docs a couple of times to get the hang of it.

I do not believe there is an specific way to create an only client credentials client, What i do is to create an personal client then change the field for personal client in the database personal_access_client 1 => 0

You could use the personal client option, as seen from the --help option

Usage:
  passport:client [options]

Options:
      --personal        Create a personal access token client
      --password        Create a password grant client
      --name[=NAME]     The name of the client
  -h, --help            Display this help message
...

php artisan passport:client --personal

output

Personal access client created successfully.
Client ID: 1
Client Secret: LbjQNxK5SQZ3pPrEBUwbkE8vaRkg8jh25Qh43HYy

You would need to use another middleware other then the default one because there is no user present when using this method

  • Define client credentials alias middleware in kernel
  • Add middleware to route
  • Send request

Define client credentials middleware to the http kernel

Class \App\Http\Kernel:

 protected $routeMiddleware = [
        'auth' => \Illuminate\Auth\Middleware\Authenticate::class,
        'client_credentials' => \Laravel\Passport\Http\Middleware\CheckClientCredentials::class,
        //ommited
    ];

Define middleware on route

Route::get('/test', 'ApiTestController@test')->middleware('client_credentials');

Class \App\Http\Controllers\ApiTestController:

public function test() {
        return response()->json(['data' => 'hey'] );
}

From php artisan route:list

GET|HEAD  | api/test | App\Http\Controllers\ApiTestController@test   | api,client_credentials  |

Send request

Following the specified request in the documentation on client-credentials-grant-tokens

I use Postman for simplicity, easily send test request with Postman (www.getpostman.com)

Set authorization to OAuth 2.0, image: Postman authentication

Set access token URL, client id, client secret and grant type to 'Client Credentials', image: Postman OAuth Fields

Postman creates an token and appends it to URL or Header, in this case header

Accept:application/json
Authorization:Bearer eyJ0eXAiOi...KCjK0

Response:

{
  "data": "hey"
}
like image 72
Raldo94 Avatar answered Sep 23 '22 03:09

Raldo94