Level 7
Did you ever solve this, i'm having the same problem
Sep 4, 2022
4
Level 1
Laravel Passport and PKCE authentication - Do you need a session for the user to login?
I setup a PKCE authentication system for an API using Laravel Passport. At the moment this API is used by a SPA.
The authentication flow is the following :
-
User clicks on "login" on the SPA
-
User is redirected to the API /oauth/authorize endpoint (with all the pkce required parameters)
-
Now, that API endpoint requires the user to be authenticated. So the login page is shown (its a php Laravel served view)
-
The user logs in, clicks on authorize, and is redirected to the callback url of the SPA, which will then send a request to obtain the JWT token.
-
From this point all communication from the SPA and the API will use the JWT token only.
Everything works. Except I now have a few doubts.
Is it correct for the login on step 3 to be session based ? To set that up I simply used Laravel UI, which provides an already setup login functionality, which is session based.
If I visit the API login page again, by its own url, I am actually logged in (which is normal). Of couse if I logout from that page (it has also a logout button), I can still use the SPA normally, as I still have my JWT token which is used by Passport.
Should I refactor the login function of Laravel UI to not start a session ? Or maybe log the user out in some way after the redirect to the SPA callback url ?
Thanks
Level 1
@Hesesses This is what I ended up doing : First of all, I did whitelisted my SPA to make sure the login didnt ask for the authorize step every time. Then, I left the login untouched, but I did refactor the logout on the SPA to also make an api call to logout on the API Laravel side (to logout the SPA I simply cleared the JWT).
To better understand the setup, you should think of your Laravel API as "Google", and your SPA to have a "login with google" functionality. So to achieve that you'd have to login into your Google account, and authorize your app.
I dont have the code at hand right now, but if you need further help I ll look into it. Good luck !
1 like
Level 7
@Nite Thank you very much for the reply.
I have the login form (/oauth/authorize redirect) as laravel view it creates a session on the server (and the oauth flow returns jwt etc).
When I try to logout (API call with JWT from microservice), i can get tokens etc deleted, but the session still remains active on the server.
So the problem is how to get rid of the session from the passport server, so when accessing the /oauth/authorize endpoint, it should not login automatically after you have logged out.
Level 1
@Hesesses alright, on your SPA, you setup a redirect to a GET route on your Laravel backend that you call when the user logs out from the SPA (say its /oauth/logout). This route should call a method (which you can put in AuthController if you want, or wherever) that does the following :
/**/
public function apiLogout(Request $request)
{
\Auth::guard('web')->logout();
\Session::flush();
if ($request->has('logout_uri')) {
return response()->redirectTo($request->query('logout_uri'));
} else {
$theme = $request->query('theme', 'dark');
return Redirect::route('home', ['theme' => $theme]);
}
}
This will logout the user also from the Laravel API.
Please or to participate in this conversation.