I am using Laravel Passport password grant to guard APIs for a mobile. Working great so far. Once I have a password client and an existing user, I can pass oauth/token with [clientID, clientSecret, email, pwd, etc] and get an access token to access the rest of my APIs.
I want to create a register api route (i.e. mysite.com/api/register and not mysite.com/register) so the mobile app can show a native register form instead of just bring up a webview with mysite.com/register url. How do I protect the register api route and make sure only our mobile client can access it? Someone from oauth2-server-laravel suggested that we should use client-credential grant for registration. Does Laravel Passport support client-credential grant? Or is there a better way to protect the route?
@stevenlee I'm having the same issue right now. There are certain endpoints on my API that I only want accessible from my web client. It sounds like the client-credential grant is what we need but that doesn't seem to be part of Passport. Have you come across any solution yet?
No not yet. But there is a PR open https://github.com/laravel/passport/pull/34. So just waiting for that.
I also need this and managed to get half way through so far. What you need to do is POST to /oauth/token and send these parameters: grant_type='client_credentials', client_id='your_client_it', client_secret='your_client_secret' You will get back a new access token.
I just need to figure out, how to authenticate the request that needs client credentials. Hopefully will solve this today.
Hi smartsolutio, have you find how to authenticate request against client_credentials? I'm in your exact situation, but I can't find a solution :'(
Thanks ENx
@smartsolutio, @enx You can add to the routeMiddleware in \App\Http\Kernel.php
protected $routeMiddleware = [
'auth_client' => \Laravel\Passport\Http\Middleware\CheckClientCredentials::class,
];
then check on your routes with:
Route::get('example', 'ExampleController@test')->middleware('auth_client');
@Admiinx Thanks a lot for your help, I will give it a try Thanks again ENx
Hi, i tried this but getting the unauthenticated error, how do you pass your client id and secret? is in in the body or header?
If you have access token, you need to pass "Authentication" header with value of Bearer [AccessToken]
For ex: Authentication: Bearer jdkwdawUDWJdmdwakdwajJDLWUN
Hi, this is a helpful thread.
I'm just wondering how you set the client to be used with the client credentials - since adding clients requires a user id, and the whole idea of the client credentials is that there is no user.
I used php artisan passport:client and added the user_id of 1.
As the token request only requires the client_id& client_secret, my assumption (MOAFU's) is that the User ID is irrelevant, the token still gets issued even if I null the user_id in the DB and if still there, does not return a user.
I'm using both Passport Grant & Client Credentials in my small API with the Passport Grant being used by an external client to log the user in and the Client Credentials for server to server requests.
Please or to participate in this conversation.