Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use

Hello all,

I have been messing around with Passport and specifically the Password Grant. The reason for this is I plan to build and API with Laravel and Passport that will consume an SPA. The SPA will not be part of Laravel - not built within Blade views.

The main issue I am running in to is that I am required to share both the Client ID and Secret. However, according to the OAuth spec the Client Secret should never be exposed to the end user as it will make the flow redundant I believe.

I believe this is an issue because Passport has not been provided with a way to combat this security issue. I have read that a proxy should be used to inject the Client Secret into the POST/GET request and then sent to the API, however, I am not sure if this is correct.

It would be a great help if anyone had any ideas on how to deal with this issue.

Also, if you would like me to elaborate further please ask!

Would passport be implementing Multi-Auth system? or is there another way to incorporate the multi-auth into the app.

I have created Multiple Models which use Laravel's Auth system to implement proper multi-auth system. I'm not sure how to use passport for the same.

I'm using Laravel with Passport to secure my API with OAuth. Although, after using a authorized token got with PostMan tool, in all my request using the Passport middleware i'm getting 401. I installed Laravel twice and looked all around the Internet without success and followed this page for installation: click here. There is some of my codes:

The route i'm trying to access:

Route::group(['middleware' => 'auth:api'], function(){
    
    Route::get('/user', function (Request $request) {
        return $request->user();
    });

});

The auth guard:

'guards' => [
    //..

    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],

And I'm using this header in my requests:

Accept: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6ImU5ZDcwZGY0ZjA2MGZhNDk5MzQ1ZjQyN2QxMWY1MDhkZDI2ZWQxODkzZDgxMTcxYWNkZGYxYTkxYzkwNWYxOGUyMTI2NzY0M2QwZmQyOWRiIn0.eyJhdWQiOiIxIiwianRpIjoiZTlkNzBkZjRmMDYwZmE0OTkzNDVmNDI3ZDExZjUwOGRkMjZlZDE4OTNkODExNzFhY2RkZjFhOTFjOTA1ZjE4ZTIxMjY3NjQzZDBmZDI5ZGIiLCJpYXQiOjE1MDE1Mjc2NDYsIm5iZiI6MTUwMTUyNzY0NiwiZXhwIjoxNTMzMDYzNjQ2LCJzdWIiOiIxIiwic2NvcGVzIjpbXX0.dbJ4jddUZx1BT9X81LQIY-Dcx6xdDtmm2nH_C6t7rgFYzRTjab6w7T1NXfzKNlAeyi4iWJAARSBDI32vCeGuAy1ukFvr0qkoEp8UIZEqeeQYYam1Oox_0fuLlJyzwkOIospEc53KZBB0AQrPpW12abxZiZ6asQ9S4AbEJa5N95QFaYRMlxPxEMQOFt28v5148-shawcmtdV-AuAOpvsmap5_f4vQ-NY9R_He0NS4zOOQEY7sPIaRrsQ_XEAJwyiGnrUyufLr02T8wDUcqTskxCtizZx0aHN8i8lz9_X7xBFMHLj4zI4R3wfuZTWlOww07HdBt1oX8PAWvTgA0lw4Sq_xeKa3-MfuCasC4Vh_KWuvHQAfTIuCQw4lPOELfWWaeJTaEuuos7YFbOdoZIHoQWVs4lcisKpHuTGd8bzIPY9GGYsG26LRZB62vX358bijUuurh8p3ajPOt45tmvJnYyaHdf1gW5YwEqbtb07bohMrLFCNhYT0JFZvKa54FRRbB6BLA4lToDA4j1secMKan8mRMLwjEhqyPD0qxBswiMc127ryQ4CLvtKZ75Weno3oAnZ29ZkgtJCTESMzFjd41K-KgrV-s9KTWvfvmOECQUTQz6xUZ5WyVLzPZdBi6wNRYdAp4xRTA1RNUH3TSAP9qYt-xWTwNANXLvL5gBkBjQM

It feels a bit strange to get a client ID as the primary key of oauth_clients @taylorotwell Would it not make sense to provide a uuid field for that ?

Hi, today I updated composer and I got this error: Operation failed: Operation not permitted

I have resolved this probem by running the following commands: chmod 600 storage/oauth-private.key chmod 600 storage/oauth-public.key

But then I got the following error: "storage/oauth-private.key" does not exist or is not readable

Thanks for help

Hi,

I want to add some user info into my JWT. It can be done by changing the response type of the authorization server with bearer token supporting extra params.

Ref: https://github.com/thephpleague/oauth2-server/blob/master/tests/ResponseTypes/BearerTokenResponseWithParams.php

But I am not sure how can I change the response type inside the passport.

Hello,

on my windows machine everything works great, but after deploy (upload everything except the vendor dir) the passport commands and migrate doesn't work.

Output:

****@**** ~/**** $ php artisan migrate
Migration table created successfully.
Migrated: 2014_10_12_000000_create_users_table
Migrated: 2014_10_12_100000_create_password_resets_table

****@**** ~/**** $ php artisan passport:install


  [Symfony\Component\Console\Exception\CommandNotFoundException]
  There are no commands defined in the "passport" namespace.

App Config:

/*
 * Package Service Providers...
 */
Laravel\Passport\PassportServiceProvider::class,

Sorry for asking a question here, but I tried elsewhere and no one could answer.

Let's say I have a mobile app in which the user can login with Facebook. If it was on the web, after the authorization I would have this: auth()->login($user); but I'm not sure how to do this with Passport.

The use does have a createToken() method, but how do I get the refresh token so I can have a reponse like this?

{
  "token_type": "Bearer",
  "expires_in": 3155673600,
  "access_token": "eyJ0eXAiOiJK...",
  "refresh_token": "LbxXGlD2s..."
}

I followed the exact steps mentioned in the Laracast: What's New in Laravel 5.3: Laravel Passport and API Authentication (Passport) to implement API Authentication using Oauth2.

consumer/routes/web.php

Route::get('/redirect', function () {
    $query = http_build_query([
        'client_id' => '3',
        'redirect_uri' => 'http://consumer.dev/callback',
        'response_type' => 'code',
        'scope' => '',
    ]);

    return redirect('http://passport.dev/oauth/authorize?'.$query);
});

Route::get('/callback', function (Request $request) {
    $http = new GuzzleHttp\Client;

    $response = $http->post('http://passport.dev/oauth/token', [
        'form_params' => [
            'grant_type' => 'authorization_code',
            'client_id' => '3',
            'client_secret' => '3TfJGj4rrvOQvjZkI8dDqx78ouH99F2DuIMKHoKH',
            'redirect_uri' => 'http://consumer.dev/callback',
            'code' => $request->code,
        ],
    ]);

    return json_decode((string) $response->getBody(), true);
});

When I try to access http://consumer.dev/redirect, I get this error:

ClientException in RequestException.php line 111:
Client error: `POST http://passport.dev/oauth/token` resulted in a `401 Unauthorized` response:
{"error":"invalid_client","message":"Client authentication failed"}

How to resolve this? Thank you for your help!

Since https://github.com/laravel/passport/issues/161 has been locked we are no longer able to discuss the issue. Before I submit a PR I want to make sure we have a common ground on what the expected behavior is for multi-provider support in Passport. More specifically, should the provider be defined at the oauth client level? This would limit that client id/secret pair to always return from a specific provider. If the gate requested another provider than what the client has defined it would return a 401.

This is the functionality I have built into my current project and I would be more than willing to issue a PR for it but I want to make sure that is what everyone is expecting.

EDIT: I should note, that if no provider is set on the oauth client then it will follow the same logic as what is in place now, so it should be backward compatible outside of the migration.

Hello

Currently, I'm building an API where my users will be able to create their API keys from my platform and then use them to perform requests, I look for OAuth 2.0 (given that in the future I'll support the Authorization Code and I have a mobile application that uses the password grant), and for this case I want to follow PayPal authentication system (https://developer.paypal.com/docs/integration/direct/paypal-oauth2/).

But I have an issue trying to use the client_credentials grant, based on the RFC 6749 of OAuth 2.0:

4.4. Client Credentials Grant

The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).

If I understand correctly, the client credentials can be associated to a resource owner or can have a null user instance to access any public resources available.

In my case, I want that the client_credentials are associated to a user in my system, and then, the access token can be related to it, but currently, the ClientCredentials grant sets the user instance as null.

I thought that one solution was create a new Service Provider based on the PassportServiceProvider, create a custom client credentials grant and then in the new service provider, enable the grant, but I don't want to keep maintaining the new ServiceProvider with the latest changes of PassportServiceProvider.

The other solution was to create a new middleware to check if the access token has the client_credentials grant, then, I'll look up for the client_id and then, get the user id, but I found this not useful because the JWT token should have this information.

I'm not sure which path to follow or if I miss something.

Thanks

The following PR allows customization of the view used for authorization. While you can publish Passport's views and edit them to your needs, unfortunately, this limits you to only the blade. This PR follows Fortify's precedence and allows you to pass a callback or string to a new Passport::authorizationView() function. The following example is how one would return and render an Inertia component for use with authorization.

Example:

AppServiceProvider.php

public function register() {

    // Return and render our custom Inertia component for authorization
    Passport::authorizationView(function ($parameters) {
        return Inertia::render('Passport/Authorize', [
            'client' => $parameters['client']->id,
            'name' => $parameters['client']->name,
            'scopes' => $parameters['scopes'],
            'state' => $parameters['request']->state,
            'authToken' => $parameters['authToken'],
            'csrfToken' => csrf_token(),
        ])->toResponse($parameters['request']);
    });
}