How to Use Laravel Passport with Password Grant Tokens

How to use Laravel Passport with Password Grant Tokens?

If you are consuming your own api then you don't need to call http://example.com/oauth/token
for user login because then you need to store client_id and client_secret at app side. Better you create an api for login and there you can check the credentials and generate the personal token.

public function login(Request $request)
{
        $credentials = $request->only('email', 'password');

        if (Auth::attempt($credentials)) {
            // Authentication passed...
             $user = Auth::user();
             $token = $user->createToken('Token Name')->accessToken;

            return response()->json($token);
        }
}

Finally, there are a lot of endpoints that I get from passport that I
don't think I will use for example: oauth/clients*,
oauth/personal-access-tokens* is there a way to remove them from the
endpoints published by passport?

You need to remove Passport::routes(); from AuthServiceProvider and manually put only required passport routes. I think you only need oauth/token route.

what exactly is "The-App" value for?

if you check oauth_access_tokens table it has name field. $user->createToken('Token Name')->accessToken; here the "Token Name" stored in name field.

How to use Laravel Passport with Password Grant Tokens?

To generate password grant token you have to store client_id and client_secret at app side (not recommended, check this ) and suppose if you have to reset the client_secret then the old version app stop working, these are the problems. To generate password grant token you have to call this api like you mention in step 3.

$http = new GuzzleHttp\Client;

$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'password',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'username' => 'taylor@laravel.com',
        'password' => 'my-password',
        'scope' => '',
    ],
]);

return json_decode((string) $response->getBody(), true);

Generate token from refresh_token

$http = new GuzzleHttp\Client;

$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'refresh_token',
        'refresh_token' => 'the-refresh-token',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'scope' => '',
    ],
]);

return json_decode((string) $response->getBody(), true);

You can look this https://laravel.com/docs/5.6/passport#implicit-grant-tokens too.

get password client from access token passport laravel

For obtaining the client_id and client_secret for Password Grant Client you need to run the following command on your authorization server (OAuth server) as stated here https://laravel.com/docs/9.x/passport#creating-a-password-grant-client

php artisan passport:client --password

The above command is not necessary to run if you already ran passport:install. The easiest way is to check your oauth_clients table for the column password_client there should be a row that has this value set to 1 (enabled).

It seems from your question that you are trying to obtain the client_id and client_secret programmatically from your client. This is not the correct way of doing it.
Basically after you run the above command to generate your client_id and client_secret you need to hard code them in your .env and use them in you CURL such as:


$response = Http::asForm()->post('http://passport-app.test/oauth/token', [
    'grant_type' => 'password',
    'client_id' => env('OAUTH_CLIENT_ID'),
    'client_secret' => env('OAUTH_CLIENT_SECRET'),
    'username' => $username,
    'password' => $password,
    'scope' => '*',
]);
 
return $response->json();

You can obtain your client_id and client_secret from the oauth_clients table. Just make sure to copy the values where the password_client column is set to 1.

There should not be any security concern if your client is storing these credentials in the backend and doing the CURL from the backend.

In the case you are trying to do this from a mobile app and you might not have a way to securely store the client_id and client_secret. In this case you should not be using the Password Grant Client flow but instead the Authorization Code Grant with PKCE: https://laravel.com/docs/9.x/passport#code-grant-pkce


Related Topics

How to Allow Remote Access to My Wamp Server for Mobile(Android)

How to Create Thumbnails or Preview for Videos

How to Disable Mod_Security in .Htaccess File

How to Print Multidimensional Arrays in PHP

How to Check If a Value Already Exists to Avoid Duplicates

Send a JSON Object from Android to PHP Server with Post Method and Httpurlconnection

Time Calculation in PHP (Add 10 Hours)

How to Use JSON_Encode

How to Merge Array and Preserve Keys

How to Specify Multiple Return Types on PHP 7

How to Get the Home Directory from a PHP Cli Script

Colon After Method Declaration

How to Send the Values of an Array of Checkboxes Through Ajax Using Jquery

Move an Array Element to a New Index in PHP

How to Return Custom Error Message from Controller Method Validation

Root Path Doesn't Work with PHP Include

How to Install Imagemagick to Use with PHP on Windows 7 (3)

How to Use PHPunit to Test a Function If That Function Is Supposed to Kill PHP


Leave a reply



Submit