noa_developer's avatar

laravel passport use pkce and approve manulay oauth/authorize

Hello I want to create an authentication system using API with oauth2 pkce and I don't want to use the laravel UI. What suggestions do you have so that I can manually provide the authentication key?

  1. client send code_verifier,user,pass in api route
  2. server check id client exist , approve auth in oauth/authorize route and return ahoutorize_code
  3. continue ...
1 like
5 replies
nicholaswinston's avatar

Your Idea: Send code_verifier, user, and pass to an API, then proceed with standard OAuth 2.0 PKCE.

Security Concern: Sending user and pass directly in an API request is generally insecure. It exposes credentials.

Better Approach (Recommended):

Redirect the user to your /oauth/authorize endpoint. Show a custom login form there (not Laravel UI). Upon successful login, your server generates the authorization_code. The client then exchanges the authorization_code and code_verifier for tokens. If you insist on your method (use with caution):

Create a dedicated API endpoint. Enforce HTTPS. Securely validate credentials and associate the code_verifier with the user/client on the server temporarily. Handle the /oauth/authorize request by retrieving this stored information. Bottom line: Your initial idea has security risks. The standard flow with a custom login form is safer.

noa_developer's avatar

I accept your answer as being insecure. My main problem is generating authorize_code on the server. How can I fix this authentication and code generation using laravel?

  1. client send :127.0.0.1:8000/api/v1/oauth/authorize? client_id=01969be6-c24b-737c-bc43-74b42ac117ed redirect_uri= response_type=code scope= code_challenge=WXjHDjrK8S9baMqKa8jQ7Ag1YKl56Qik2HbQoQKRUaA code_challenge_method=S256 user_id=1

  2. server : if client exist return authorize_code (my problem this section)

  3. client get authorize_code and show form for client

  4. client set name,pass,code_verifier and send it to server

  5. server check client and return access and refresh token

my problem is step 2 . how to generate authorize_code with laravel/passport without oauth/authorize route and not generate manualy ans save db , use passport oauth/authorize route in server with my api . Do you think there is a solution?

noa_developer's avatar

I want approve authorize without user click btns . manually approve it with server. have any solution for this ?

martinbean's avatar

@noa_developer That completely defeats the point of OAuth (and Passport).

A user is meant to approve (or deny) the authorisation request. To facilitate that, the user needs a UI to authenticate, and then respond to the request.

Please do not try and “change” the flow. OAuth is a standard. There’s no point using it if you’re not going to follow that standard.

noa_developer's avatar

solve it,

  1. create pkce_auth_code similar than oAuth table in passport
  2. handle manually code_verifier ,code_hashed,hash_method
  3. use password client in server to self

sync maunally table with passport flow

Please or to participate in this conversation.