Laravel Passport – API authentication via OAuth2

Projects Inventory

2 months ago

Laravel Passport is an OAuth2 server implementation for API authentication in Laravel applications. It simplifies the process of securing API endpoints using OAuth2, allowing users to authenticate and obtain access tokens to interact with your API. It’s ideal for projects that require OAuth2 authentication, personal access tokens, or even third-party app authentication.

Key Features of Laravel Passport:

OAuth2 Server: Provides a full OAuth2 implementation, enabling clients to authenticate and interact with your API.
Access Tokens: Issues access tokens (both long-lived and short-lived) for API consumers.

Personal Access Tokens: Allows users to generate personal access tokens that can be used to authenticate against your API.
Authorization Code Grant: Supports OAuth2’s Authorization Code Grant, which is ideal for third-party apps.
Token Scopes: Allows you to assign scopes to tokens to limit API access based on the user’s permissions.
Refreshing Tokens: Supports token refresh functionality to allow clients to maintain long-lived sessions.
Implicit Grant: Allows simple apps to obtain tokens directly without an authorization code.

Installation

To install and configure Laravel Passport, follow these steps:

Install Laravel Passport: Use Composer to install Laravel Passport:

composer require laravel/passport

1

composer require laravel/passport
Run Migrations: Passport comes with a set of migrations that create the tables needed to store OAuth2 data (clients, tokens, etc.). Run the migrations:

php artisan migrate

1

php artisan migrate
Install Passport: After running the migrations, you need to install Passport using the install command, which will generate encryption keys and create the necessary Passport clients:

php artisan passport:install

1

php artisan passport:install

This command will output the client ID and client secret for both the Personal Access Client and Password Grant Client, which will be used for API authentication.
Add HasApiTokens Trait: In the User model (app/Models/User.php

Advertisement

), you need to add the HasApiTokens trait to enable Passport’s token management functions:

use Laravel\Passport\HasApiTokens; class User extends Authenticatable { use HasApiTokens, Notifiable; }

1
2
3
4
5
6

use Laravel\Passport\HasApiTokens;

class User extends Authenticatable
{
use HasApiTokens, Notifiable;
}

Configure Authentication Guards: In your config/auth.php file, update the api guard driver to use passport:

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
        'hash' => false,
    ],
],

'guards' => [

'web' => [

'driver' => 'session',

'provider' => 'users',

'api' => [

'driver' => 'passport',

'provider' => 'users',

'hash' => false,

Register Passport Routes: In the AuthServiceProvider (app/Providers/AuthServiceProvider.php), call the Passport::routes method within the boot method to register Passport’s routes:

use Laravel\Passport\Passport; public function boot() { $this->registerPolicies(); Passport::routes(); }

1
2
3
4
5
6
7
8

use Laravel\Passport\Passport;

public function boot()
{
$this->registerPolicies();

Passport::routes();
}
Configure Token Lifetimes (Optional): You can configure how long access tokens and refresh tokens are valid. For example, in AuthServiceProvider, you can set the expiration time:

Passport::tokensExpireIn(now()->addDays(15)); Passport::refreshTokensExpireIn(now()->addDays(30));

1
2

Passport::tokensExpireIn(now()->addDays(15));
Passport::refreshTokensExpireIn(now()->addDays(30));
Issue Tokens:
- For Password Grant Tokens, you can use the /oauth/token endpoint to request tokens. You will need to provide the client ID, client secret, username, and password.
- For Personal Access Tokens, users can create tokens directly:
  
  $token = $user->createToken('Token Name')->accessToken;
  
  1
  
  $token = $user->createToken('Token Name')->accessToken;

Authentication Process with Passport:

Personal Access Tokens: Users can generate personal access tokens for API access, which are ideal for situations where the API consumer is the user (such as mobile apps or first-party web applications).

$token = $user->createToken('AppName')->accessToken; return ['token' => $token];

1
2

$token = $user->createToken('AppName')->accessToken;
return ['token' => $token];
Authorization Code Grant: This grant type is typically used when a third-party application requests permission to access the API on behalf of the user. It involves redirecting the user to an authorization page where they approve or deny the app’s access to their data.
Client Credentials Grant: Ideal for machine-to-machine communication where no user is involved. You can issue a client credentials token by providing the client ID and secret:

POST /oauth/token { "grant_type": "client_credentials", "client_id": "client-id", "client_secret": "client-secret" }

1
2
3
4
5
6

POST /oauth/token
{
    "grant_type": "client_credentials",
    "client_id": "client-id",
    "client_secret": "client-secret"
}

Scopes:

You can define scopes to limit the permissions that access tokens grant. For example, an admin can have access to all APIs, but a regular user might only be able to view certain data:

Passport::tokensCan([
   'view-orders' => 'View orders',
   'manage-users' => 'Manage users',
]);

Passport::tokensCan([

'view-orders' => 'View orders',

'manage-users' => 'Manage users',

]);

Summary of Use Cases:

First-party apps (mobile apps, single-page apps) can use personal access tokens.
Third-party apps can use authorization code grants.
Machine-to-machine communication can use the client credentials grant.

Key Features of Laravel Passport:

Installation

Authentication Process with Passport:

Scopes:

Summary of Use Cases:

Related Posts: