Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

RickGoemans's avatar

Laravel Passport code grant flow

This week I've been doing updating our OAuth2 flow for the SPA with Laravel Passport since the password grant token is not recommended because you can't hide the client_secret.

For this reason we've decided to switch over to the "Authorization Code Grant with PKCE" (/docs/9.x/passport#code-grant-pkce). We're using Nuxt with the auth module (auth.nuxtjs.org), which is configured like this:

auth: {
	redirect: {
		login: '/auth/login',
		logout: '/auth/logout-success',
		callback: '/auth/callback',
		home: '/dashboard',
	},
	strategies: {
		oauth2: {
			scheme: 'oauth2',
			endpoints: {
				authorization: `${process.env.AUTH_BASE_URL}authorize`,
				token: `${process.env.AUTH_BASE_URL}token`,
				logout: `${process.env.SPA_API_BASE_URL}auth/logout`,
				userInfo: `${process.env.SPA_API_BASE_URL}auth/me`,
			},
			responseType: 'code',
			grantType: 'authorization_code',
			accessType: 'offline',
			clientId: process.env.OAUTH_CLIENT_ID,
			scope: '*',
			codeChallengeMethod: 'S256',
		},
	},

What I find confusing is that the logout request that is being sent does not include the Authorization header (with Bearer ...). Does that mean that it's only supposed to go as a web route and therefore logout the user's session that was set during the login phase to gather the code (oauth_auth_codes table in the database) which is needed to grab an access_token and refresh_token?

I assume the access_token and refresh_token have to be revoked to ensure somebody else could not use them if they could collect them somehow.

Another confusing/weird thing for me is that the session lifetime will probably be lower (by default 120 minutes in Laravel's config/session.php) than the token's lifetime (which is by default one year according to the docs (/docs/9.x/passport#token-lifetimes) , resulting in the user already being logged out by exceeding the session limit while still having a valid access/refresh token.

Either I'm missing some crucial part or I've misconfigured something, but for me (with the current implementation), I'm confused a lot!

0 likes
0 replies

Please or to participate in this conversation.