Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use

Overview

Logo Laravel Passport

Build Status Total Downloads Latest Stable Version License

Introduction

Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use.

Official Documentation

Documentation for Passport can be found on the Laravel website.

Contributing

Thank you for considering contributing to Passport! The contribution guide can be found in the Laravel documentation.

Code of Conduct

In order to ensure that the Laravel community is welcoming to all, please review and abide by the Code of Conduct.

Security Vulnerabilities

Please review our security policy on how to report security vulnerabilities.

License

Laravel Passport is open-sourced software licensed under the MIT license.

Comments
  • Password Grant and independant SPA issue

    Password Grant and independant SPA issue

    Hello all,

    I have been messing around with Passport and specifically the Password Grant. The reason for this is I plan to build and API with Laravel and Passport that will consume an SPA. The SPA will not be part of Laravel - not built within Blade views.

    The main issue I am running in to is that I am required to share both the Client ID and Secret. However, according to the OAuth spec the Client Secret should never be exposed to the end user as it will make the flow redundant I believe.

    I believe this is an issue because Passport has not been provided with a way to combat this security issue. I have read that a proxy should be used to inject the Client Secret into the POST/GET request and then sent to the API, however, I am not sure if this is correct.

    It would be a great help if anyone had any ideas on how to deal with this issue.

    Also, if you would like me to elaborate further please ask!

    opened by josh9060 91
  • Passport Multi-Auth

    Passport Multi-Auth

    Would passport be implementing Multi-Auth system? or is there another way to incorporate the multi-auth into the app.

    I have created Multiple Models which use Laravel's Auth system to implement proper multi-auth system. I'm not sure how to use passport for the same.

    enhancement 
    opened by SidharthRaveendran 80
  • Getting Unauthenticated with a valid token

    Getting Unauthenticated with a valid token

    I'm using Laravel with Passport to secure my API with OAuth. Although, after using a authorized token got with PostMan tool, in all my request using the Passport middleware i'm getting 401. I installed Laravel twice and looked all around the Internet without success and followed this page for installation: click here. There is some of my codes:

    The route i'm trying to access:

    Route::group(['middleware' => 'auth:api'], function(){
        
        Route::get('/user', function (Request $request) {
            return $request->user();
        });
    
    });
    

    The auth guard:

    'guards' => [
        //..
    
        'api' => [
            'driver' => 'passport',
            'provider' => 'users',
        ],
    ],
    

    And I'm using this header in my requests:

    Accept: application/json
    Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6ImU5ZDcwZGY0ZjA2MGZhNDk5MzQ1ZjQyN2QxMWY1MDhkZDI2ZWQxODkzZDgxMTcxYWNkZGYxYTkxYzkwNWYxOGUyMTI2NzY0M2QwZmQyOWRiIn0.eyJhdWQiOiIxIiwianRpIjoiZTlkNzBkZjRmMDYwZmE0OTkzNDVmNDI3ZDExZjUwOGRkMjZlZDE4OTNkODExNzFhY2RkZjFhOTFjOTA1ZjE4ZTIxMjY3NjQzZDBmZDI5ZGIiLCJpYXQiOjE1MDE1Mjc2NDYsIm5iZiI6MTUwMTUyNzY0NiwiZXhwIjoxNTMzMDYzNjQ2LCJzdWIiOiIxIiwic2NvcGVzIjpbXX0.dbJ4jddUZx1BT9X81LQIY-Dcx6xdDtmm2nH_C6t7rgFYzRTjab6w7T1NXfzKNlAeyi4iWJAARSBDI32vCeGuAy1ukFvr0qkoEp8UIZEqeeQYYam1Oox_0fuLlJyzwkOIospEc53KZBB0AQrPpW12abxZiZ6asQ9S4AbEJa5N95QFaYRMlxPxEMQOFt28v5148-shawcmtdV-AuAOpvsmap5_f4vQ-NY9R_He0NS4zOOQEY7sPIaRrsQ_XEAJwyiGnrUyufLr02T8wDUcqTskxCtizZx0aHN8i8lz9_X7xBFMHLj4zI4R3wfuZTWlOww07HdBt1oX8PAWvTgA0lw4Sq_xeKa3-MfuCasC4Vh_KWuvHQAfTIuCQw4lPOELfWWaeJTaEuuos7YFbOdoZIHoQWVs4lcisKpHuTGd8bzIPY9GGYsG26LRZB62vX358bijUuurh8p3ajPOt45tmvJnYyaHdf1gW5YwEqbtb07bohMrLFCNhYT0JFZvKa54FRRbB6BLA4lToDA4j1secMKan8mRMLwjEhqyPD0qxBswiMc127ryQ4CLvtKZ75Weno3oAnZ29ZkgtJCTESMzFjd41K-KgrV-s9KTWvfvmOECQUTQz6xUZ5WyVLzPZdBi6wNRYdAp4xRTA1RNUH3TSAP9qYt-xWTwNANXLvL5gBkBjQM
    
    opened by lucassmuller 77
  • Client_ID

    Client_ID

    It feels a bit strange to get a client ID as the primary key of oauth_clients @taylorotwell Would it not make sense to provide a uuid field for that ?

    enhancement 
    opened by lucasmichot 71
  • "storage/oauth-private.key" does not exist or is not readable.

    Hi, today I updated composer and I got this error: Operation failed: Operation not permitted

    I have resolved this probem by running the following commands: chmod 600 storage/oauth-private.key chmod 600 storage/oauth-public.key

    But then I got the following error: "storage/oauth-private.key" does not exist or is not readable

    Thanks for help

    opened by siarheipashkevich 60
  • How to change the ResponseType

    How to change the ResponseType

    Hi,

    I want to add some user info into my JWT. It can be done by changing the response type of the authorization server with bearer token supporting extra params.

    Ref: https://github.com/thephpleague/oauth2-server/blob/master/tests/ResponseTypes/BearerTokenResponseWithParams.php

    But I am not sure how can I change the response type inside the passport.

    enhancement 
    opened by alexjose 60
  • Commands and Migrate not registered

    Commands and Migrate not registered

    Hello,

    on my windows machine everything works great, but after deploy (upload everything except the vendor dir) the passport commands and migrate doesn't work.

    Output:

    ****@**** ~/**** $ php artisan migrate
    Migration table created successfully.
    Migrated: 2014_10_12_000000_create_users_table
    Migrated: 2014_10_12_100000_create_password_resets_table
    
    ****@**** ~/**** $ php artisan passport:install
    
    
      [Symfony\Component\Console\Exception\CommandNotFoundException]
      There are no commands defined in the "passport" namespace.
    

    App Config:

    /*
     * Package Service Providers...
     */
    Laravel\Passport\PassportServiceProvider::class,
    
    opened by nilsbrychzy 52
  • Obtain access token and refresh token without a http request

    Obtain access token and refresh token without a http request

    Sorry for asking a question here, but I tried elsewhere and no one could answer.

    Let's say I have a mobile app in which the user can login with Facebook. If it was on the web, after the authorization I would have this: auth()->login($user); but I'm not sure how to do this with Passport.

    The use does have a createToken() method, but how do I get the refresh token so I can have a reponse like this?

    {
      "token_type": "Bearer",
      "expires_in": 3155673600,
      "access_token": "eyJ0eXAiOiJK...",
      "refresh_token": "LbxXGlD2s..."
    }
    
    opened by adaojunior 52
  • API Authentication Error: {

    API Authentication Error: {"error":"invalid_client","message":"Client authentication failed"}

    I followed the exact steps mentioned in the Laracast: What's New in Laravel 5.3: Laravel Passport and API Authentication (Passport) to implement API Authentication using Oauth2.

    consumer/routes/web.php

    Route::get('/redirect', function () {
        $query = http_build_query([
            'client_id' => '3',
            'redirect_uri' => 'http://consumer.dev/callback',
            'response_type' => 'code',
            'scope' => '',
        ]);
    
        return redirect('http://passport.dev/oauth/authorize?'.$query);
    });
    
    Route::get('/callback', function (Request $request) {
        $http = new GuzzleHttp\Client;
    
        $response = $http->post('http://passport.dev/oauth/token', [
            'form_params' => [
                'grant_type' => 'authorization_code',
                'client_id' => '3',
                'client_secret' => '3TfJGj4rrvOQvjZkI8dDqx78ouH99F2DuIMKHoKH',
                'redirect_uri' => 'http://consumer.dev/callback',
                'code' => $request->code,
            ],
        ]);
    
        return json_decode((string) $response->getBody(), true);
    });
    

    When I try to access http://consumer.dev/redirect, I get this error:

    ClientException in RequestException.php line 111:
    Client error: `POST http://passport.dev/oauth/token` resulted in a `401 Unauthorized` response:
    {"error":"invalid_client","message":"Client authentication failed"}
    

    How to resolve this? Thank you for your help!

    opened by taitrongnguyen107 51
  • Passport Multi-Auth (Implementation)

    Passport Multi-Auth (Implementation)

    Since https://github.com/laravel/passport/issues/161 has been locked we are no longer able to discuss the issue. Before I submit a PR I want to make sure we have a common ground on what the expected behavior is for multi-provider support in Passport. More specifically, should the provider be defined at the oauth client level? This would limit that client id/secret pair to always return from a specific provider. If the gate requested another provider than what the client has defined it would return a 401.

    This is the functionality I have built into my current project and I would be more than willing to issue a PR for it but I want to make sure that is what everyone is expecting.

    EDIT: I should note, that if no provider is set on the oauth client then it will follow the same logic as what is in place now, so it should be backward compatible outside of the migration.

    enhancement 
    opened by billriess 49
  • Associate client_credentials grant to a user

    Associate client_credentials grant to a user

    Hello

    Currently, I'm building an API where my users will be able to create their API keys from my platform and then use them to perform requests, I look for OAuth 2.0 (given that in the future I'll support the Authorization Code and I have a mobile application that uses the password grant), and for this case I want to follow PayPal authentication system (https://developer.paypal.com/docs/integration/direct/paypal-oauth2/).

    But I have an issue trying to use the client_credentials grant, based on the RFC 6749 of OAuth 2.0:

    4.4. Client Credentials Grant

    The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).

    If I understand correctly, the client credentials can be associated to a resource owner or can have a null user instance to access any public resources available.

    In my case, I want that the client_credentials are associated to a user in my system, and then, the access token can be related to it, but currently, the ClientCredentials grant sets the user instance as null.

    I thought that one solution was create a new Service Provider based on the PassportServiceProvider, create a custom client credentials grant and then in the new service provider, enable the grant, but I don't want to keep maintaining the new ServiceProvider with the latest changes of PassportServiceProvider.

    The other solution was to create a new middleware to check if the access token has the client_credentials grant, then, I'll look up for the client_id and then, get the user id, but I found this not useful because the JWT token should have this information.

    I'm not sure which path to follow or if I miss something.

    Thanks

    enhancement 
    opened by ghost 48
  • New authorization view response for custom views

    New authorization view response for custom views

    The following PR allows customization of the view used for authorization. While you can publish Passport's views and edit them to your needs, unfortunately, this limits you to only the blade. This PR follows Fortify's precedence and allows you to pass a callback or string to a new Passport::authorizationView() function. The following example is how one would return and render an Inertia component for use with authorization.

    Example:

    AppServiceProvider.php
    
    public function register() {
    
        // Return and render our custom Inertia component for authorization
        Passport::authorizationView(function ($parameters) {
            return Inertia::render('Passport/Authorize', [
                'client' => $parameters['client']->id,
                'name' => $parameters['client']->name,
                'scopes' => $parameters['scopes'],
                'state' => $parameters['request']->state,
                'authToken' => $parameters['authToken'],
                'csrfToken' => csrf_token(),
            ])->toResponse($parameters['request']);
        });
    }
    
    opened by JonErickson 1
Releases(v11.3.1)
Owner
The Laravel Framework
Laravel is a web ecosystem full of delightful tools that are supercharged for developer happiness and productivity.
The Laravel Framework
Discord-oauth2 - At the end of oAuth2, which I have been researching and reading for a long time,

Discord-oauth2 - At the end of oAuth2, which I have been researching and reading for a long time, I finally found the way to connect with discord and get information, that's how I did it. If I'm wrong, feel free to email me so I can correct it.

Uğur Mercan 2 Jan 1, 2022
StartZ oauth2-etsy compatible League of PHP OAuth2

Etsy Provider for OAuth 2.0 Client This package provides Etsy OAuth 2.0 support for the PHP League's OAuth 2.0 Client. Requirements The following vers

StartZ 2 Nov 10, 2022
:octocat: Socialite is an OAuth2 Authentication tool. It is inspired by laravel/socialite, you can easily use it without Laravel.

Socialite Socialite is an OAuth2 Authentication tool. It is inspired by laravel/socialite, You can easily use it in any PHP project. 中文文档 This tool no

安正超 1.2k Dec 22, 2022
This is a basic Oauth2 authorization/authentication server implemented using Mezzio.

Mezzio-OAuth2-Authorization-Authentication-Server This is a basic OAuth2 authorization/authentication server implemented using Mezzio. I have found so

null 1 Nov 15, 2022
Rinvex Authy is a simple wrapper for @Authy TOTP API, the best rated Two-Factor Authentication service for consumers, simplest 2fa Rest API for developers and a strong authentication platform for the enterprise.

Rinvex Authy Rinvex Authy is a simple wrapper for Authy TOTP API, the best rated Two-Factor Authentication service for consumers, simplest 2fa Rest AP

Rinvex 34 Feb 14, 2022
Routes and Middleware for Using OAuth2 Server within a Slim Framework API

Chadicus\Slim\OAuth2 A collection of OAuth2 Server routes, middleware and utilities for use within a Slim 3 Framework API Requirements Chadicus\Slim\O

Chad Gray 126 Oct 8, 2022
Making Laravel Passport work with Lumen

lumen-passport Making Laravel Passport work with Lumen A simple service provider that makes Laravel Passport work with Lumen Dependencies PHP >= 5.6.3

Denis Mysenko 651 Dec 1, 2022
Laravel Passport Memoized

Laravel Passport comes with repositories for the underlying oauth2-server that result in multiple queries to retrieve the same exact object from the database in a single request. With a good database engine this will have a small impact in the range of milliseconds but this is still unacceptable and should be avoided if possible.

Alex Bouma 26 Aug 15, 2022
phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server.

phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server.

Apereo Foundation 780 Dec 24, 2022
Static utilitiy classes to bridge PSR-7 http messages to OAuth2 Server requests and responses.

Static utilitiy classes to bridge PSR-7 http messages to OAuth2 Server requests and responses. While this libray is entended for use with Slim 3, it should work with any PSR-7 compatible framework.

Chad Gray 18 Jul 12, 2021
documentation for the oauth2-server-php library

OAuth2 Server PHP Documentation This repository hosts the documentation for the oauth2-server-php library. All submissions are welcome! To submit a ch

Brent Shaffer 227 Nov 24, 2022
A plugin for implementing an OAuth2 server in CakePHP 3

OAuth2 Server for CakePHP 3 A plugin for implementing an OAuth2 server in CakePHP 3. Built on top of the PHP League's OAuth2 Server. Currently we supp

uAfrica Technologies (Pty) Ltd 50 Oct 28, 2022
A demo application for running an OAuth2 server

OAuth2 Demo PHP This application is designed to demo the workflow between OAuth2.0 Clients and Servers. If this is your first time here, try experimen

Brent Shaffer 738 Dec 16, 2022
It's a Laravel 8 authentication markdown that will help you to understand and grasp all the underlying functionality for Session and API Authentication

About Auth Starter It's a Laravel 8 authentication markdown that will help you to understand and grasp all the underlying functionality for Session an

Sami Alateya 10 Aug 3, 2022
OAuth client integration for Symfony. Supports both OAuth1.0a and OAuth2.

HWIOAuthBundle The HWIOAuthBundle adds support for authenticating users via OAuth1.0a or OAuth2 in Symfony. Note: this bundle adds easy way to impleme

Hardware Info 2.2k Dec 30, 2022
:atom: Social (OAuth1\OAuth2\OpenID\OpenIDConnect) sign with PHP :shipit:

SocialConnect Auth Getting Started :: Documentation :: Demo Open source social sign on PHP. Connect your application(s) with social network(s). Code e

SocialConnect 518 Dec 28, 2022
:atom: Social (OAuth1\OAuth2\OpenID\OpenIDConnect) sign with PHP :shipit:

SocialConnect Auth Getting Started :: Documentation :: Demo Open source social sign on PHP. Connect your application(s) with social network(s). Code e

SocialConnect 458 Apr 1, 2021
Cliente OAuth2 para Gov.br

Cliente OAuth2 para Gov.br Este pacote fornece suporte OAuth 2.0 para Gov.br usando a biblioteca cliente do League PHP. Requisitos Versões suportadas

Breno Roosevelt 11 Dec 27, 2022