1 year ago

Laravel Passport: authorization_code

Posted 1 year ago by Tomi


I implemented Laravel Passport as a standalone OAuth2 server, and im consuming the API with a Single Page App also created in Laravel.

My question is more about the Authentification. I got this code from the Laravel Passport Docs:

Route::get('/redirect', function () {
    $query = http_build_query([
        'client_id' => 'client-id',
        'redirect_uri' => '',
        'response_type' => 'code',
        'scope' => '',

    return redirect(''.$query);

Route::get('/callback', function (Request $request) {
    $http = new GuzzleHttp\Client;

    $response = $http->post('', [
        'form_params' => [
            'grant_type' => 'authorization_code',
            'client_id' => 'client-id',
            'client_secret' => 'client-secret',
            'redirect_uri' => '',
            'code' => $request->code,

    return json_decode((string) $response->getBody(), true);

Using this inside my client app. In the callback route i get a Token back wich i store in a Cookie and use it each time i want something from the server, lets say i need User information.

It works all fine as expected, but one thing i noticed. The user can call the /redirect route as much as he wants and this will always generate new access tokens even if the user already got one.

Do i have to prevent the user from doing this? Or is this a job from Passport and i just did configure it wrong?

Please sign in or create an account to participate in this conversation.