Using laravel passport to authenticate client to access your API

June 10, 2020·4 min read
Using laravel passport to authenticate client to access your API - codementor.tech

Today we are going to explain,

  • How you can create a client credentials using Laravel Passport command.
  • How you can call oauth/token to create a token using client request.
  • How you can use client middleware.

To get started, install Passport via the Composer package manager, while in your /api directory:

Composer
composer require laravel/passport

The Passport service provider registers its own database migration directory with the framework, so you should migrate your database after registering the provider. The Passport migrations will create the tables your application needs to store clients and access tokens:

php artisan migrate

Next, you should run the passport:install command. This command will create the encryption keys needed to generate secure access tokens. In addition, the command will create "personal access" and "password grant" clients which will be used to generate access tokens:

php artisan passport:install

After running this command, add the Laravel\Passport\HasApiTokens trait to your App\Usermodel. This trait will provide a few helper methods to your model which allow you to inspect the authenticated user's token and scopes:

Laravel
<?php
namespace App;

use Laravel\Passport\HasApiTokens;
use Illuminate\Notifications\Notifiable;
use Illuminate\Foundation\Auth\User as Authenticatable;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;
}

Next, you should call the Passport::routes method within the boot method of your AuthServiceProvider. This method will register the routes necessary to issue access tokens and revoke access tokens, clients, and personal access tokens:

<?php
namespace App\Providers;

use Laravel\Passport\Passport;
use Illuminate\Support\Facades\Gate;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;

class AuthServiceProvider extends ServiceProvider
{
    /**
     * The policy mappings for the application.
     *
     * @var array
     */
    protected $policies = [
        'App\Model' => 'App\Policies\ModelPolicy',
    ];
    /**
     * Register any authentication / authorization services.
     *
     * @return void
     */
    public function boot()
    {
        $this->registerPolicies();
        Passport::routes();
    }
}

Finally, in your config/auth.php configuration file, you should set the driver option of the api authentication guard to passport. This will instruct your application to use Passport's TokenGuard when authenticating incoming API requests:

auth.php
'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],

The documentation recommends: When deploying Passport to your production servers for the first time, you will likely need to run the passport:keys command. This command generates the encryption keys Passport needs in order to generate access token. The generated keys are not typically kept in source control:

passport
php artisan passport:keys

That command will generate these files:

api/storage/oauth-private.key
api/storage/oauth-public.key

Make sure they are actually generated. If they are not, this authorization scheme won’t work. The default .gitignore file Laravel uses will not include these files in your repo, so you will need to generate in different environments.

Token Lifetimes

By default, Passport issues long-lived access tokens that expire after one year. If you would like to configure a longer / shorter token lifetime, you may use the tokensExpireIn and refreshTokensExpireIn methods. These methods should be called from the boot method of your AuthServiceProvider:

/**
 * Register any authentication / authorization services.
 *
 * @return void
 */
public function boot()
{
    $this->registerPolicies();
    Passport::routes();
    Passport::tokensExpireIn(now()->addDays(15));
    Passport::refreshTokensExpireIn(now()->addDays(30));
}

The passport:client Command

The simplest way to create a client (aka API key), which will access your API, is using the passport:client artisan command. This command may be used to create your own clients for testing your OAuth2 functionality. When you run the client command, Passport will prompt you for more information about your client and will provide you with a client ID and secret. It should be noted, the client ID needs to be an integer. Trying to use a string will throw an error:

php artisan passport:client --client

Next, to use this grant type, you need to add the CheckClientCredentials middleware to the $routeMiddleware property of your app/Http/Kernel.php file:

use Laravel\Passport\Http\Middleware\CheckClientCredentials;
protected $routeMiddleware = [
    'client' => CheckClientCredentials::class,
];

Go to a controller whose routes you wish to control and attache the middleware:

public function __construct()
{
    $this->middleware('client');
}

Now it is time to prove this works. You’ll need a tool to test your API.

From the step above, you should have saved a client id and a secret string. You will need that to generate a token by sending a POST to /oauth/token with the following formData/JSON:

Method: POST

EndPoint: http://127.0.0.1:8080/oauth/token OR http://<virtualhost-name>/oauth/token

  • grant_type -> client_credentials
  • client_id -> 1
  • scope -> *
  • client_secret -> client_secret

when you hit the above api the response you will get as shown in below:

response
{
    "token_type": "Bearer",
    "expires_in": 1296000,
    "access_token": "token"
}

When making requests to your API, assuming you have attached the middleware to the relevant controllers, you will need to pass the HEADER data in order to be authenticated. And, assuming you followed all of these steps, you should have a properly secured API using Laravel Passport and the client credentials grant.

Happy Coding!

Go back Home.