Introduction

What is Laravel Passport? Laravel Passport is an OAuth2 server implementation for API authentication in Laravel. It offers a complete OAuth2 server implementation, enabling developers to handle complex authentication scenarios with ease. Passport simplifies the process of issuing and managing access tokens for API clients, enhancing the security and flexibility of your API authentication.

Setting Up Laravel Passport

  1. Install Passport:
composer require laravel/passport

Run Migrations:

php artisan migrate

Install Passport:

php artisan passport:install

This command generates encryption keys necessary for creating secure access tokens.

Configure Auth Service Provider: In app/Providers/AuthServiceProvider.php, register the Passport routes.

use Laravel\Passport\Passport;

public function boot()
{
$this->registerPolicies();
Passport::routes();
}

Update User Model: Ensure your User model uses the HasApiTokens trait.

use Laravel\Passport\HasApiTokens;

class User extends Authenticatable
{
use HasApiTokens, Notifiable;
}

Configure API Authentication: Update the api guard in config/auth.php to use the passport driver.

'guards' => [
'api' => [
'driver' => 'passport',
'provider' => 'users',
],
],

Creating and Using Tokens

  1. Password Grant Tokens: Create a route to issue tokens.
Route::post('login', 'AuthController@login');

In AuthController, use the Password Grant to issue tokens.

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Http;
use Laravel\Passport\Client;

class AuthController extends Controller
{
private $client;
}
public function __construct()
{
    $this->client = Client::find(1);
}

public function login(Request $request)
{
    $request->validate([
        'email' => 'required|email',
        'password' => 'required',
    ]);

    $response = Http::asForm()->post(url('/oauth/token'), [
        'grant_type' => 'password',
        'client_id' => $this->client->id,
        'client_secret' => $this->client->secret,
        'username' => $request->email,
        'password' => $request->password,
        'scope' => '',
    ]);

    return $response->json();
}
}

Protecting Routes: Protect your API routes using the auth:api middleware.

Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});

Advanced Topics

Refreshing Tokens: Implement refresh tokens to allow clients to renew their tokens without logging in again.

    Route::post('refresh', 'AuthController@refresh');

public function refresh(Request $request)
{
    $request->validate([
        'refresh_token' => 'required',
    ]);

    $response = Http::asForm()->post(url('/oauth/token'), [
        'grant_type' => 'refresh_token',
        'refresh_token' => $request->refresh_token,
        'client_id' => $this->client->id,
        'client_secret' => $this->client->secret,
        'scope' => '',
    ]);

    return $response->json();
}

    Passport vs. Sanctum: Laravel Sanctum provides a simpler token-based authentication system, ideal for SPAs and simple APIs, while Passport offers a full OAuth2 server, suitable for more complex authentication needs.

    Handling Common Issues:

    • Invalid Key Supplied: Ensure correct client ID and secret.
    • Key Generation: Use php artisan passport:keys to generate new keys if needed.

      Conclusion

      Laravel Passport simplifies the implementation of OAuth2 authentication in Laravel applications. By following this guide, you can set up secure API authentication, issue tokens, handle refresh tokens, and protect your routes efficiently.

      Categorized in:

      Laravel

      Tagged in:

      , ,