Passport + REST + make:auth

@etelford, you seem to be developing a similar architecture. How do you deal with this?

@sandervanhooft,

If you're using the API then these are included in Passport routes.. You would send a POST request to /oauth/token as outline d here: https://laravel.com/docs/master/passport#password-grant-tokens

So the steps are:

1. Generate password grant token: php artisan passport:client --password. This creates a client in oauth_clients (Passport generates one of these automatically when you run php artisan passport:install.
2. Post to /oauth/token using the oauth_clients.secret as the Authorization header with Bearer {oauth_clients.secret} as the value.
3. This will return an access_token, a refresh_token and an expires value (which is expressed as seconds since the access_token was created). This will also create a row in oauth_access_tokens attached to the user id that was authenticated.
4. Now when you hit any other API endpoints in your app, you use the access_token retrieved in Step 3. If the access_token is expired, then you'll need to send another POST request to /oauth/token, but this time as a refresh_token grant_type (https://laravel.com/docs/master/passport#refreshing-tokens).

Another thing, if you only need to access your API from a frontend in the same application, then there is likely not a need for what I described above.

For example, I have an app running with L5.3 and Passport with Vue (as a single page app). The default 5.3 installation adds an X-CSRF-TOKEN header to each request (see /resources/assets/js/bootstrap.js.

Since you're using React, you would have to add this functionality yourself using some type of HTTP interceptor. (https://laravel.com/docs/master/passport#consuming-your-api-with-javascript)

Does this help?

@etelford Is there anyway we can login via API externally without using client secret as if it was an Auth-as-a-Service?... Presuming that it's not a good idea to expose client-secret in SPA in JS like an Angular App.

You need something to exchange with the Auth Service that first authorizes the initial login and then authorizes subsequent requests.

Short of performing a login on each request using the user's username/email and password (which is a terrible idea!), there aren't really much choices that I know of.

As for 3rd party solutions...maybe something like Firebase?

@etelford, thanks for your detailed reply!

The question however was focused on the parts that Passport does not cover: signup, change password, recover account. How have you implemented this? By overriding the controllers generated by make:auth?

I get it now, so by using this method, the user can stay logged in the server resources via his app until the token expires, otherwise without that, the user will have to login each time to access the resources, is that right?

Hi @etelford ! I am the same situation as @sandervanhooft but I think I have less knowledge about how this is working.

I can't understand how I should check on each new request, after login, the access_token on backend, to be the same all the time with the one saved on the database.

Is related to your 4th point when you say "you use the access_token retrieved in Step 3" But how to use it on backend?

"4. Now when you hit any other API endpoints in your app, you use the access_token retrieved in Step 3. If the access_token is expired, then you'll need to send another POST request to /oauth/token, but this time as a refresh_token grant_type (https://laravel.com/docs/master/passport#refreshing-tokens)."

My steps: From REACT I do a Login request to Laravel backend where from auth/token with password grant, I get: access_token, refresh_token and expiration date. I send access_token to Frontend where I set the Authorization Header as Beared [access_token generated] to can be used on a new request for autorization.

My problem: A second request will be to get a list of Customers (only for logged in users). This new request will have Header Authorization Bearer [access_token just received], but when the request reach the backend how do I check if this access_token is the same as the one auth/token inserted into oauth_access_tokens database table? How the server will know is the right access_token?

Thanks!

Any update on this? I don't understand how to combine make:auth routes (LoginController, RegisterController,... in Controllers/Auth folder) with Passport. Passport documentation explain everything about clients and tokens but does not consider the sign up/sign in.

As far as I understand, it seems that the Controllers/Auth are intended to be used with the session guard (web middleware) and that's where I am stuck. I am starting to believe I should not use these Controllers if I want an 100% JSON sign up/sign in process.

Am I right?

Thanks !