Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

rahimlis's avatar

Laravel 5.3 Rest API login

I have a trouble while attempting to create login for rest API using Laravel 5.3. I created a student model which extends User, it has email and password (in migration).

This is the guards (I have changed the provider to students)

  'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'token',
        'provider' => 'students'
    ],
],

And this is the providers

'providers' => [
    'users' => [
        'driver' => 'eloquent',
        'model' => App\User::class,
    ],

    'students' => [
        'driver' => 'eloquent',
        'model' => App\Student::class,
    ],


    'teachers' => [
        'driver' => 'eloquent',
        'model' => App\Teacher::class,
    ],
],

I want to make a login API (rest) using student's credentials. If login is successful the server should return personal information of student. I have searched laracasts a lot but didn't find something similar. And there are a lot changes in new version. so I am confused.

Student login function

public function login(Request $request){

    if (Auth::check(['email' => $request->email, 'password' => $request->password])) {
        //$student = Student::where('email',$request->email)->first();
        $student = Auth::user();
        $student->api_token = str_random(60);
        $student->save();
        return response([
            'status' => Response::HTTP_OK,
            'response_time' => microtime(true) - LARAVEL_START,
            'student' => $student
        ],Response::HTTP_OK);
    }

    return response([
        'status' => Response::HTTP_BAD_REQUEST,
        'response_time' => microtime(true) - LARAVEL_START,
        'error' => 'Wrong email or password',
        'request' => $request->all()
    ],Response::HTTP_BAD_REQUEST);

}

neither the Auth::check() method nor the Auth::validate() work in this case. What can be the problem? How do I implement login for rest api?

0 likes
2 replies
changalberto's avatar

What would be a recommended way in Laravel 5.3 to build an Auth-as-a-Service style API for authentication that is CORS compatible?

Please correct me if I'm wrong. But it seems to me that the Passport "Password Grant" strategy requires that the user pass in a client-id and client-secret along with username and password to get properly authenticated and receive JWT token to start consuming API as a first party client. I presume that it is a very bad idea to expose the client-secret via SPA such as an AngularJS application.

What would be a good way to get authenticated via JWT without exposing client-secret?

RichardStyles's avatar

I've been trying to do something similar using laravel/passport and finally figured out how to log in properly to obtain the keys for the main app.

You need to use the POST route for "oauth/token" making sure you specify the grant_type in the request. This assumes you have set up Laravel/Passport and created at least one user.

There is a post on Laravel news here which explains more by Mohamed Said: https://laravel-news.com/2016/08/passport-grant-types/ Under: Authorizing first-party apps

The grant_type is a standard option in OAuth to obtain the keys for a parent app.

If you send a post request to https://domain.dev/oauth/token with the following params:

username -> the users email
password -> the users password
grant_type -> "password"
client_id -> (look in your DB in the oauth_clients table for "Laravel Password Grant Client" for id - usually = 2)
client_secret ->  (look in your DB in the oauth_clients table for "Laravel Password Grant Client" for secret)

Provided all these are entered right, and if you've got it wrong I had some helpful errors shown to point me in the right direction (Thanks Taylor).

@changalberto I also do not want to leak my client_secret. For my login I will call this from the server side, accepting only the username and password. The login controller will then add the secret so it is not held on the client side. A "internal" request sent and that will be the response which will be outputted to the user.

Hopefully this might be useful, I spent a rainy Sunday afternoon reading up on OAuth and eventually stumbled on the grant_type request.

[edit] I finally figured out a login wrapper to return the api tokens. Which I put up here for code review. https://laracasts.com/discuss/channels/code-review/api-authentication-with-passport

1 like

Please or to participate in this conversation.