What are the best practices for api authentication for B2B?

Laravel Passport offers different ways to authenticate. For B2B I would probably use the Password Grant Client approach

So the party that integrates get's the client_id and client_secret. They can use that to retrieve an access_token and refresh_token. They can use it until the token is expired and then they need to request a new token.

Documentation: https://laravel.com/docs/7.x/passport#password-grant-tokens

@bobbybouwmann thank you so much for your suggestion, I have a another question, is there a way we can configure the access_token expiry per client base. So that I can set the token expiry different for each client.

I believe Passport doesn't offer that by default, but you can change the value of the expiration date in the database.

DB::table('oauth_access_tokens')
    ->where('id',$token->token->id)
    ->update(['expires_at'=>Carbon::now()->addDays(1)]);

Something like that should work in most cases ;)

@bobbybouwmann is there anyway we can assign a Password Grant Tokens to a particular a user? Because I wanna have control over who own the client_id and client_secret and I should be able to revoke it.

@lnb596844 The access token itself is connected to the user. You need to use a grand that actually uses that access token.

@bobbybouwmann Sorry, I must have not explained correctly. I meant, can we manage the client_id and client_secret per user basis. so where I can list out all the client_id and client_secret keys along with user details to whom the client_id and client_secret were assigned.

I want to manually revoke the client_id and client_secret details, because I'm building some kind of subscription system. If client doesn't pay the amount I want to revoke access to it.

The client_id and client_secret are stored in a table that is also connected to the user. You already have this data available. You can simply set the revoked column to 1 to revoke a client secret. Check the oauth_clients table

@bobbybouwmann thanks for your time. yes, but when I create the password grant token using php artisan passport:client --password it won't take the user_id, so this is where I got confused on how to assign user_id to the client_id and client_secret. Is there any alternative to generate client_id and client_secret along with user_id?

Aah. The password grant is not meant for this. The idea is for example that you have a mobile app that authenticates with your application. The mobile app knows the client_id and client_secret. Then the users log in my providing the user name and password. All of that data is send to your API which checks it and returns the access token. So a password grant is not connected to a specific user.

If you want to connect the token directly to the user you need to use this

php artisan passport:client --user_id=5

This is also called the public client: https://laravel.com/docs/7.x/passport#code-grant-pkce

@bobbybouwmann thanks, so, previously you suggested password grant token is good for B2B use-case, now as I can't assign this to user_id, can you suggest an alternative for my scenario where any third party website who consumes the api, that would be much appreciated.

Well, what you wanted should work with the password grant, but you also want to connect it to a user which is not possible.

@bobbybouwmann Then how can we revoke the token when the client subscription ends?