I have an API that has to use OAuth2 for its integration with a financial platform. It also needs to integrate with Salesforce, for which a personal access token is the preferred method. The problem, however, is that Salesforce limits the length of its headers to 1,000 characters and the Passport tokens are slightly longer than that. Sanctum's API tokens are a great solution, but I need to stick with Passport in order to accommodate the higher security threshold required by the financial platform. Is there a way to reduce the length of the personal access token created in Passport?
To address the issue of reducing the length of personal access tokens created by Laravel Passport, you can customize the token generation process. By default, Passport uses the League\OAuth2\Server\CryptKey class to generate tokens, which can result in longer tokens. However, you can override this behavior to generate shorter tokens.
Here's a step-by-step solution to achieve this:
Create a Custom Token Repository:
Create a custom token repository that generates shorter tokens. You can extend the default PersonalAccessTokenRepository provided by Passport.
namespace App\Repositories;
use Laravel\Passport\PersonalAccessTokenRepository as PassportPersonalAccessTokenRepository;
use Laravel\Passport\PersonalAccessTokenResult;
use Laravel\Passport\Token;
class CustomPersonalAccessTokenRepository extends PassportPersonalAccessTokenRepository
{
/**
* Create a new personal access token.
*
* @param mixed $userId
* @param string $name
* @param array $scopes
* @return \Laravel\Passport\PersonalAccessTokenResult
*/
public function create($userId, $name, array $scopes = [])
{
$token = $this->tokens->create([
'user_id' => $userId,
'name' => $name,
'scopes' => $scopes,
'revoked' => false,
'expires_at' => $this->expiration ? now()->addMinutes($this->expiration) : null,
]);
$accessToken = $token->id . '.' . str_random(40);
return new PersonalAccessTokenResult($accessToken, $token);
}
}
Register the Custom Repository:
In your AppServiceProvider or a dedicated service provider, bind the custom repository to the container.
namespace App\Providers;
use Illuminate\Support\ServiceProvider;
use Laravel\Passport\Passport;
use App\Repositories\CustomPersonalAccessTokenRepository;
class AppServiceProvider extends ServiceProvider
{
/**
* Register any application services.
*
* @return void
*/
public function register()
{
$this->app->singleton(
\Laravel\Passport\PersonalAccessTokenRepository::class,
CustomPersonalAccessTokenRepository::class
);
}
/**
* Bootstrap any application services.
*
* @return void
*/
public function boot()
{
Passport::routes();
}
}
Generate the Token:
Now, when you generate a personal access token, it will use the custom repository and produce a shorter token.
use Laravel\Passport\Passport;
$user = Auth::user();
$tokenResult = $user->createToken('Personal Access Token');
$token = $tokenResult->accessToken;
// Use the token as needed
This approach ensures that the personal access tokens generated by Passport are shorter and should fit within the 1,000-character limit imposed by Salesforce. However, be aware that this customization might affect the security of the tokens, so ensure that the generated tokens are still secure enough for your use case.
It also needs to integrate with Salesforce, for which a personal access token is the preferred method. The problem, however, is that Salesforce limits the length of its headers to 1,000 characters and the Passport tokens are slightly longer than that.
@lbecket Surely if you’re working with Salesforce, then you obtain an OAuth access token from Salesforce, to then use in subsequent requests to Salesforce’s API?
I have no idea what you mean by “Passport tokens are slightly longer than that”. That’s the complete wrong way around when it comes to OAuth. Salesforce would give you a token to authorise as a user. You don’t make your own tokens up and give them to Salesforce. Otherwise how are they going to know the difference between your tokens and one I create with the value VALID_SALESFORCE_TOKEN_HONEST_PLEASE_GIVE_ME_ALL_THE_ACCESS_NOW?
@martinbean The whole point is that I don't want to use OAuth in Salesforce, but I need to be able to use it for other system integrations, which is why I'm using Passport at all. The API tokens issued by Sanctum are 64 characters and able to be passed in the request header. The personal access tokens issued by Passport are 1,027 characters, a length that is "slightly longer" than the 1,000 character limit imposed by Salesforce. I suppose what I should have asked is whether Passport is capable of issuing an API token in the same way that Sanctum does, but this does not appear to be possible based on the documentation and so I instead asked whether Passport's personal access tokens can be configured with a character count below 1,000. Perhaps neither option exists, but that's what I'm attempting to clarify.
@lbecket Passport is for adding an OAuth authorisation server to your application, to allow first- and third-party clients to interact with your users. It’s not for creating magic tokens that you’d then use to magically authorise against third party’s APIs.
How are you expecting to use Passport to create a token that would then allow you access to Salesforce’s API? Again, if you want to make requests to Salesforce’s API then you need to obtain an access token—from Salesforce—on behalf of the Salesforce user whose Salesforce resources you wish to work with.
How are you expecting to use Passport to create a token that would then allow you access to Salesforce’s API?
I'm not. This is for Salesforce to access my API, I don't need to access the Salesforce API. Again, the Sanctum API token gets the job done. I'm simply wondering if Passport can issue a similar token.
