Laravel Passport is an OAuth2 server implementation for API authentication in Laravel applications. It simplifies the process of securing API endpoints using OAuth2, allowing users to authenticate and obtain access tokens to interact with your API. It’s ideal for projects that require OAuth2 authentication, personal access tokens, or even third-party app authentication.
Key Features of Laravel Passport:
- OAuth2 Server: Provides a full OAuth2 implementation, enabling clients to authenticate and interact with your API.
- Access Tokens: Issues access tokens (both long-lived and short-lived) for API consumers.
- Personal Access Tokens: Allows users to generate personal access tokens that can be used to authenticate against your API.
- Authorization Code Grant: Supports OAuth2’s Authorization Code Grant, which is ideal for third-party apps.
- Token Scopes: Allows you to assign scopes to tokens to limit API access based on the user’s permissions.
- Refreshing Tokens: Supports token refresh functionality to allow clients to maintain long-lived sessions.
- Implicit Grant: Allows simple apps to obtain tokens directly without an authorization code.
Advertisement
Installation
To install and configure Laravel Passport, follow these steps:
- Install Laravel Passport: Use Composer to install Laravel Passport:
1composer require laravel/passport - Run Migrations: Passport comes with a set of migrations that create the tables needed to store OAuth2 data (clients, tokens, etc.). Run the migrations:
1php artisan migrate - Install Passport: After running the migrations, you need to install Passport using the
install
command, which will generate encryption keys and create the necessary Passport clients:
1php artisan passport:install
This command will output the client ID and client secret for both the Personal Access Client and Password Grant Client, which will be used for API authentication. - Add HasApiTokens Trait: In the
User
Advertisementapp/Models/User.php
), you need to add theHasApiTokens
trait to enable Passport’s token management functions:
123456use Laravel\Passport\HasApiTokens;class User extends Authenticatable{use HasApiTokens, Notifiable;} - Configure Authentication Guards: In your
config/auth.php
file, update theapi
guard driver to usepassport
:
123456789101112'guards' => ['web' => ['driver' => 'session','provider' => 'users',],'api' => ['driver' => 'passport','provider' => 'users','hash' => false,],], - Register Passport Routes: In the
AuthServiceProvider
(app/Providers/AuthServiceProvider.php
), call thePassport::routes
method within theboot
method to register Passport’s routes:
12345678use Laravel\Passport\Passport;public function boot(){$this->registerPolicies();Passport::routes();} - Configure Token Lifetimes (Optional): You can configure how long access tokens and refresh tokens are valid. For example, in
AuthServiceProvider
, you can set the expiration time:
12Passport::tokensExpireIn(now()->addDays(15));Passport::refreshTokensExpireIn(now()->addDays(30)); - Issue Tokens:
- For Password Grant Tokens, you can use the
/oauth/token
endpoint to request tokens. You will need to provide the client ID, client secret, username, and password. - For Personal Access Tokens, users can create tokens directly:
1$token = $user->createToken('Token Name')->accessToken;
- For Password Grant Tokens, you can use the
Authentication Process with Passport:
- Personal Access Tokens: Users can generate personal access tokens for API access, which are ideal for situations where the API consumer is the user (such as mobile apps or first-party web applications).
12$token = $user->createToken('AppName')->accessToken;return ['token' => $token]; - Authorization Code Grant: This grant type is typically used when a third-party application requests permission to access the API on behalf of the user. It involves redirecting the user to an authorization page where they approve or deny the app’s access to their data.
- Client Credentials Grant: Ideal for machine-to-machine communication where no user is involved. You can issue a client credentials token by providing the client ID and secret:
123456POST /oauth/token{"grant_type": "client_credentials","client_id": "client-id","client_secret": "client-secret"}
Scopes:
You can define scopes to limit the permissions that access tokens grant. For example, an admin can have access to all APIs, but a regular user might only be able to view certain data:
1 2 3 4 |
Passport::tokensCan([ 'view-orders' => 'View orders', 'manage-users' => 'Manage users', ]); |
Summary of Use Cases:
- First-party apps (mobile apps, single-page apps) can use personal access tokens.
- Third-party apps can use authorization code grants.
- Machine-to-machine communication can use the client credentials grant.
- Laravel Breeze – Simple authentication starter kit
- Laravel Jetstream – Scaffolding for Laravel apps
- Laravel Passport – API authentication via OAuth2
- Laravel Sanctum – Simple API authentication
- Spatie Laravel Permission – Role and permission management
- Laravel Cashier – Subscription billing with Stripe
- Laravel Scout – Full-text search using Algolia
- Laravel Socialite – OAuth authentication (Google, Facebook, etc.)
- Laravel Excel – Excel import and export for Laravel
- Laravel Horizon – Redis queues monitoring
- Laravel Nova – Admin panel for Laravel
- Laravel Fortify – Backend authentication for Laravel
- Laravel Vapor – Serverless deployment on AWS
- Laravel Telescope – Debugging assistant for Laravel
- Laravel Dusk – Browser testing
- Laravel Mix – API for compiling assets
- Spatie Laravel Backup – Backup management
- Laravel Livewire – Building dynamic UIs
- Spatie Laravel Media Library – Manage media uploads
- Laravel Excel – Excel spreadsheet handling
- Laravel Debugbar – Debug tool for Laravel
- Laravel WebSockets – Real-time communication
- Spatie Laravel Sitemap – Generate sitemaps
- Laravel Spark – SaaS scaffolding
- Laravel Envoy – Task runner for deployment
- Spatie Laravel Translatable – Multilingual model support
- Laravel Backpack – Admin panel
- Laravel AdminLTE – Admin interface template
- Laravel Collective Forms & HTML – Simplified form and HTML generation
- Spatie Laravel Analytics – Google Analytics integration
- Laravel Eloquent Sluggable – Automatically create slugs
- Laravel Charts – Chart integration
- Laravel Auditing – Track changes in models
- Laravel JWT Auth – JSON Web Token authentication
- Laravel Queue Monitor – Monitor job queues
- Spatie Laravel Query Builder – Filter, sort, and include relationships in Eloquent queries
- Laravel Datatables – jQuery Datatables API
- Laravel Localization Advertisement
- Laravel Acl Manager – Access control list manager
- Laravel Activity Log – Record activity in your app
- Laravel Roles – Role-based access control
- Spatie Laravel Tags – Tagging models
- Laravel Installer – CLI installer for Laravel
- Laravel Breadcrumbs – Generate breadcrumbs in Laravel
- Laravel Mailgun – Mailgun integration for Laravel
- Laravel Trustup Model History – Store model change history
- Laravel Deployer – Deployment automation tool
- Laravel Auth – Custom authentication guards
- Laravel CORS – Cross-Origin Resource Sharing (CORS) support
- Laravel Notifications – Send notifications through multiple channels
- Spatie Laravel Http Logger – Log HTTP requests
- Laravel Permission Manager – Manage permissions easily
- Laravel Stubs – Customize default stubs in Laravel
- Laravel Fast Excel – Speed up Excel exports
- Laravel Image – Image processing
- Spatie Laravel Backup Server – Centralize backups for Laravel apps
- Laravel Forge API – Manage servers through the Forge API
- Laravel Blade SVG – Use SVGs in Blade templates
- Laravel Ban – Ban/unban users from your application
- Laravel API Response – Standardize API responses
- Laravel SEO – Manage SEO meta tags
- Laravel Settings – Store and retrieve settings
- Laravel DOMPDF – Generate PDFs
- Laravel Turbo – Full-stack framework for building modern web apps
- Spatie Laravel Event Sourcing – Event sourcing implementation
- Laravel Jetstream Inertia – Jetstream’s Inertia.js integration
- Laravel Envoy Tasks – Task automation
- Laravel Likeable – Like/dislike functionality
- Laravel GeoIP – Determine visitor’s geographic location
- Laravel Country State City – Dropdowns for country, state, and city
- Laravel Hashids – Generate short unique hashes
- Laravel Repository – Repository pattern for Laravel
- Laravel UUID – UUID generation for models
- Spatie Laravel Medialibrary Pro – Enhanced media management
- Laravel Queue Monitor – Monitor Laravel job queues
- Laravel User Activity – Monitor user activity
- Laravel DB Snapshots – Create database snapshots
- Laravel Twilio – Twilio integration
- Laravel Roles – Role-based permission handling
- Laravel Translatable – Add translations to Eloquent models
- Laravel Teamwork – Manage teams in multi-tenant apps
- Laravel Full Text Search – Add full-text search to Laravel models
- Laravel File Manager – File and media management
- Laravel User Timezones – Automatically detect user time zones
- Laravel ChartsJS – Render charts with ChartsJS
- Laravel Stripe – Stripe API integration
- Laravel PDF Generator – PDF generation
- Laravel Elasticsearch – Elasticsearch integration
- Laravel Simple Qrcode – Generate QR codes
- Laravel Timezone – Manage timezones and conversions
- Laravel Collective API – API management for Laravel
- Laravel Rest API Boilerplate – REST API starter kit
- Laravel Multi Auth – Multi-authentication functionality
- Laravel Voyager – Admin panel for Laravel
- Laravel Voyager Database – Database manager for Voyager
- Laravel Categories – Handle categories for models
- Laravel Multitenancy – Multi-tenancy implementation
- Laravel Access Control – Advanced access control for users
- Laravel Menus – Menu management
- Laravel Translatable Routes – Multilingual route handling