Why do you PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET?

I am checking Laravel's documentation in Passport personal aceess token grant. First of all, I'm still not entirely sure what's the purpose of this grant, since I can use the Password grant to simply issue tokens.

But more importantly. Why do I need to put these values in my .env PASSPORT_PERSONAL_ACCESS_CLIENT_ID="client-id-value" PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET="unhashed-client-secret-value"

I have tried not putting them and followed the rest of the tutorial in the section, and it's giving me tokens just fine. So where do these values come into place?

colq2

2 years ago

Level 2

You need them to create personal access token and define which oauth client is used for it. You can create multiple personal access clients. If you don't set the envs, passport is going to use the first personal access client.

The ClientRepository is registered in the PassportServiceProvider in the package, which takes the values from the config: https://github.com/laravel/passport/blob/e543cf751b97b14e16167a550a6ab763070f3f91/src/PassportServiceProvider.php#L278

Here there client is resolved: https://github.com/laravel/passport/blob/e543cf751b97b14e16167a550a6ab763070f3f91/src/ClientRepository.php#L113

For easy readability:

public function personalAccessClient()
    {
        if ($this->personalAccessClientId) {
            return $this->find($this->personalAccessClientId);
        }

        $client = Passport::personalAccessClient();

        if (! $client->exists()) {
            throw new RuntimeException('Personal access client not found. Please create one.');
        }

        return $client->orderBy($client->getKeyName(), 'desc')->first()->client;
    }

classicalguss

2 years ago

Level 1

@colq2 Thank you for the response. Still, I tried to put an invalid PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET and a valid PASSPORT_PERSONAL_ACCESS_CLIENT_ID And the tokens were working. I noticed though that if we use Passport::hashClientSecrets(); Then Passport will actually go to the database to fetch the token, rather than load through the id only. Which forces validation and prints Client authentication failed.

colq2

2 years ago

Level 2

@classicalguss Very interesting insight!

1 like

martinbean

2 years ago

Level 80

since I can use the Password grant to simply issue tokens

@classicalguss You can but you shouldn’t.

From https://oauth.net/2/grant-types/password/:

The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely

1 like

jlrdw

2 years ago

Level 75

Also you did see this from the documentation:

This documentation assumes you are already familiar with OAuth2. If you do not know anything about OAuth2, consider familiarizing yourself with the general terminology and features of OAuth2 before continuing.

A suggestion is to stay well informed on the latest security measures. Including OAuth2, laravel, and any packages you use, and PHP as well. Read also about the latest file upload vulnerabilities.

I suggest subscribing to a service to keep you updated.

1 like

Please or to participate in this conversation.