Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I would like to know how you are using the socialite token given by providers.
I mean this:
Socialite::driver('github')->user()->token
or in case of OAuth One where we have also tokenSecret:
Socialite::driver('twitter')->user()->tokenSecret and Socialite::driver('twitter')->user()->token
I see that we can obtain user using:
$user = Socialite::driver('github')->userFromToken($token);
or with OAuth One:
$user = Socialite::driver('twitter')->userFromTokenAndSecret($token, $secret);
I understand that token is something that should not be exposed, so in case I store this on database and on session, I would use decrypt() / encrypt() laravel helper.
It's considered safe to use this by allowing like a remember me checkbox that user can use on safe computer?
So in case user want, each time they enter the website, I check if exist the token (encrypted) and then search in database if exist that token, and in case exist, I can login it automatically.
Can be used in this way? Or I am exposed to a security issue?
Thanks
Yes, this is correct! The idea is that the user is logged in at, for example, Facebook. So you can use that token to log them in again. If that fails then the user should be logged out because they removed the token from that platform.
Thank You Bobby!
Hey Guys,
I Know it is an old topic but... How do you exactly use these tokens? I mean I have SPA which via Laravel backend and socialite obtains a user from Google. Now that I can have a token and refresh token do I just save them to db?
E.g passport handles token expiration and stuff. How do I take care of that stuff with socialite?
If my endpoints are protected via passport, how do I use socialite Google token against them?
@robertkabat you can save token on db, but save it encrypted because of security reason, see https://security.stackexchange.com/questions/72475/should-we-store-accesstoken-in-our-database-for-oauth2
Technically you can store the access token in your database, and use it for API calls until it expires. It might be more trouble than its worth, though.
For one thing, as Jonathan notes in his comment above, now you have to worry about securing your database and the data in it - these tokens give access to some fairly privileged information about your users. Of course, simply storing the token in session storage might put it on disk too, depending on your session configuration. Its a good idea to keep it encrypted while you're not using it.
Your proposed scenario about the user clearing cookies and coming back is also an issue. You could take the access token from the database and stick it back into their cookies, but before you do that, you have to make sure they are who they say they are - and now you have to do another layer of passwords just to give them access to the token they already gave you.
You're probably better off simply re-doing the authorization flow when they come back and click the login button again. Its not that expensive. But if that truly is a showstopper for you, then storing the token is an option. You'll just have to be really careful about working through all the associated issues.
@robertkabat Anyway I just notice now that you mention Passport. if your user login with Socialite, then they are not using Passport. Passport is your own oAuth, while Socialite provide third party oAuth.
@thewebartisan7 Hey, thanks for a quick answer. I know they are different things. I was wondering how to handle what is happening after retrieving user from google via socialite.
When user is going for normal email/password login I am handling that with passport (auth code grant with pkce).
Since my API is working with passport and after retrieving the user with socialite I would have to create passport token - the problem is I have absolutely no clue how to create passport refresh token manually.
@robertkabat I understand. You can create a token after retrieving user from socialite. See https://laravel.com/docs/9.x/passport#managing-personal-access-tokens
$user = Socialite::driver('google')->user();
// or if you have already a $token
$user = Socialite::driver('google')->userFromToken($token);
// or in your case I suppose is stateless
$user = Socialite::driver('google')->stateless()->user();
// Creating a token without scopes...
$token = $user->createToken('Token Name')->accessToken;
// Creating a token with scopes...
$token = $user->createToken('My Token', ['place-orders'])->accessToken;
Or why not just use LaravelPassport socialite driver? https://socialiteproviders.com/Laravel-Passport/#installation-basic-usage
Please or to participate in this conversation.