Level 75
What is this?
Route::middleware('client')->get('/application', 'ApplicationController@index', function (Request $request) { });
It should be just
Route::get('/application', 'ApplicationController@index')->middleware('client');
Nov 17, 2020
5
Level 1
Call existing Controller from Passport Client Credentials API endpoint
Hi,
I am trying to get the Laravel Passport Client Credentials Oauth flow working but i don't know how to call an existing controller when coming in on an API client middleware authentication Route. Does anyone know what i'm doing wrong here? I am trying to call the ApplicationController@index method and let that handle the API return. I have setup the CheckClientCredentials middleware in the app/Http/Kernel.php according to the documentation. This just returns the html login page view and never gets to the ApplicationController that i am trying to access.
Route::middleware('client')->get('/application', 'ApplicationController@index', function (Request $request) { });
Thanks!
Level 1
Thanks Michal, i see there was no need to be passing on the $request in the callback. I have now removed this from the route but i am still never getting to the ApplicationController@index method. This is what i have now:
Route::middleware('client')->get('/application', 'ApplicationController@index');
Level 1
I figured out the issue. I was checking if the user was logged in in the constructor of the Application controller with:
$this->middleware('auth');
So i was never hitting the index method.
Level 1
One more question. When you create a client with the --client flag you are not prompted to insert the user id that it's associated with. If you do this manually how do you determine the user that is accessing the API through the Client Credentials flow? I thought the client middleware would automatically get the user which i could then access like normal with the Auth Facade e.g. $user_id = Auth::user()->id;, but this does not seem to be happening.
Level 56
The client credentials grant is meant for machine-to-machine communication:
The client credentials grant is suitable for machine-to-machine authentication. For example, you might use this grant in a scheduled job which is performing maintenance tasks over an API.
Reference: https://laravel.com/docs/8.x/passport#client-credentials-grant-tokens
Therefore no users are bound to requests authenticated with the client middleware. That is by design.
For example, let's say you have an app that centralizes data about products to several other apps: An e-commerce app used by your customers, an inventory management app used by staff, etc.
Maybe the inventory app needs to ask the central repository app to trigger a catalog search index rebuild from time to time. This request don't need a user bound to it, it can even be triggered from a scheduled job on the inventory app. But you still want to authenticate the request so it doesn't get abused if someone finds the URL to trigger it. This is a scenario where using client credentials comes handy.
If you need to have a user associated to that request, use the regular authentication middleware (auth:api after you configured Passport) and send the user's access token along.
Please or to participate in this conversation.