Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
In my application, I am using Passport for Authentication. I have created a Password grant client for generating access tokens for our mobile and web app.
Now I have to add a third-party client that can access some of our resources. For this, I created a client.
Now for a user that can authorize this third-party client for access the resources on behalf of him have to come to our website and login and then needs to authorize to get the authorization code. This I want to do in our own web app. For that, I need to create an API where as a request I will receive client_id, client_secret, grant_type, redirect_url, scopes, etc and return the authorization code.
But nowhere I see an option to create a custom API for generating the authorization code?
-- Updated
Basically, passport has a dedicated view for authorizing and generating authorization code. I want to do it through API. This API will be available for our web apps.
@proelitesunny Passport is an OAuth server implementation. You use it to return OAuth tokens to clients.
I really don’t follow what you’re actually trying to do, but it sounds like you’re not using OAuth in any way it’s actually intended to be used.
You should also not be using password grant clients, as they’re disallowed in the latest OAuth specs.
@martinbean I am implementing OAuth only. Passport has a dedicated view for authorizing third-party clients to access users' data. I want to override that and provide API to our web apps (First party clients) to authorize.
I want to override that and provide API to our web apps (First party clients) to authorize.
@proelitesunny This makes no sense.
You provide the API. Passport (OAuth) is just a mechanism for obtaining tokens to authorise the user to make API requests. You don’t “override” any part of Passport.
Obtain a token. Use the token in requests to your API. That’s all you need to do.
@martinbean
https://laravel.com/docs/9.x/passport#approving-the-request
As mentioned here Passport will automatically display a template to the user allowing them to approve or deny the authorization request
We have our own SPA, we can't use the template provided by Passport. Somehow we need to override this and create an API that our SPA can call for authoring or denying the authorization request.
@proelitesunny No, you don’t. That’s not how OAuth works.
You’re redirected to the OAuth server. User logs in and approves request on that server. They’re then redirect back to your Vue client.
You should be using a Authorization Code grant with PKCE client for this:
The Authorization Code grant with "Proof Key for Code Exchange" (PKCE) is a secure way to authenticate single page applications
Please or to participate in this conversation.