Laravel Passport refreshing a token manually

Level 34

@mulugu does this not work for you https://laravel.com/docs/8.x/passport#refreshing-tokens ?

Level 3

I'm issuing tokens manually from email/password pair.

Level 80

@mulugu You shouldn’t be refreshing tokens. The client should be using a refresh token to extend a token’s lifetime if they need to.

It defeats the point of tokens with a limited lifetime and weakens security if you’re just extending tokens on the server side.

Level 3

That whats am looking far. I have created endpoint for creating token. And i want to provide another endpoint for refreshing it. Remember i generate based on email/password pair

Level 80

@mulugu Then you need to read and understand Passport (and OAuth) better.

Passport already has an endpoint for refreshing access tokens: https://laravel.com/docs/8.x/passport#refreshing-tokens

I have created endpoint for creating token.

You should absolutely not be creating your own endpoints for issuing tokens, either. Again, this is what Passport is for and does it out of the box.

Level 1

Hey I know it's an old topic but I do have a somewhat similar question. I am trying to figure out how to manually create a user access token and refresh token in the passport. Let me elaborate.

I am using two ways of getting into my app: for email login I am using passport code auth grant with pkce and then for google login I am using socialite.

It's a SPA with backend API. I do not want to use sanctum yet. I have already used passport. For socialite I have retrieved the user from google and I can get the token and refresh token from google. Now how do I proceed? Do I just save google tokens in the DB? How would I auth them against passport?

That is why I think I need to manually create passport token and refresh token after I get user from google. That would solve all my issues.

Do you know how I can create those from within the controller?

1 like

Level 3

@robertkabat i hope you have passport installed.

next run php artisan passport:install and php artisan passport:keys

Implement your user model with passsport to use the HasApiTokens trait

namespace App\Models;

use Illuminate\Database\Eloquent\SoftDeletes;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;
use Laravel\Passport\HasApiTokens;

class User extends Authenticatable
{
    use Notifiable, HasApiTokens;
}

Then in your controller do

    $user = $request->user();
    $tokenResult = $user->createToken('Personal Access Token')

Level 3

@robertkabat i hope you have passport installed.

next run php artisan passport:install and php artisan passport:keys

Implement your user model with passsport to use the HasApiTokens trait

namespace App\Models;

use Illuminate\Database\Eloquent\SoftDeletes;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;
use Laravel\Passport\HasApiTokens;

class User extends Authenticatable
{
    use Notifiable, HasApiTokens;
}

Then in your controller do

    $user = $request->user();
    $tokenResult = $user->createToken('Personal Access Token')

Level 1

@mulugu Hey, thanks for a quick answer. I do have that part done, however I am not sure how do I get refresh token manually from passport?

1 like

Level 80

@robertkabat You don’t get a refresh token manually. You get a refresh token along with an access token. You’re meant to save both of them. You then use the refresh token to extend the lifetime of an access token. If the access token is refreshed successfully, you’ll be issued a new access token and refresh token.

Level 1

@martinbean Hey Martin, thanks for a quick answer.

I feel like I am not explaining the issue very well.

So if I am using passport to guard my endpoints and then I will log in with socialite via google let's say - how do I create passport access and refresh tokens? I do get them from google but I guess they won't work?

I totally get how the tokens work (I hope!) it is just that it is unclear to me what to do in my socialite controller after I retrieve the user from google.

My Laravel backend API powers my NuxtJS app. One way to log in, unrelated to socialite is the Auth Code Grant with PKCE and then I just get my tokens which are flying around with each request and that is working ok. Once the token expires I am using the refresh token to... well refresh the access token.

So now after I log in with socialite I understand I would need again passport tokens to give them back to the front. This is what I do not fully understand, how do I get passport tokens after getting user via socialite.

Am I making any sense? (I hope I do!)

Level 80

So if I am using passport to guard my endpoints and then I will log in with socialite via google let's say - how do I create passport access and refresh tokens? I do get them from google but I guess they won't work?

@robertkabat You don’t. If you get an OAuth access token from Google then you refresh it via Google’s OAuth endpoint.

1 like

Level 1

@martinbean oh I think I am starting to get it now.

Please just correct me if I am wrong, or let me know I am right.

So when I get the tokens from google I just save them in my DB. Then I suppose I am passing that google token to the frontend and using that instead of the passport token. Will that token work with the passport API guard or will I have to create a whole setup for handling google tokens?

I am just trying to understand how it is supposed to work. On one hand I can log in via passport and code auth grant and on the other hand, I will have socialite and google tokens.

Is there anything I could read that would make this a bit clearer? Sorry to be a pain, Martin!