laravel / passport Goto Github PK

Hello Laravel team and thanks for this package!

There is only one thing that i don't understand in the Authorization process.

How Passport identify what user are requesting the Access Token?

Step 1
In the classic example of Passport usage a client needs to perform a request like below:

`$query = http_build_query([
'client_id' => 1,
'redirect_uri' => 'http://consumer.dev/callback',
'response_type' => 'code',
'scope' => 'conference'
]);

// Redirect the user to the OAuth authorization page
return redirect('http://passport.dev/oauth/authorize?' . $query);`

Step 2
Passport server open the "Approval Authorization view" like this:

And here there aren't Users Informations about who are requesting the Access Token by this external client.

Step 3
Passport server return an access token in json response and now i'm able to call a protected routes by "auth:api" middleware.

As Taylor showed in his example i can call the test route to verify if Passport are working:

Route::get('/user', function (Request $request) { return $request->user(); });

How does Passport know which user must be authenticated?

I requested the Access Token sending only client informations without attaching any user information.
How does the Passport server to know which user is authenticating by the external client?

How can i show the user informations in the "Authorization view"?

Thanks a lot for your support.

Do we need all migrations if we just want to use CreateFreshApiToken middleware within our app so we just want to consume our API ?

I got access_token and send request to get user but alway return

{
"error": "Unauthenticated."
}

I readed on the internet and some people told me change api.php like that

Route::get('/user', function (Request $request) {
    return $request->user();
})->middleware('auth:api');

to

Route::get('/user', function (Request $request) {
    return $request->user();
});

Then it does not display error again but return null value. I can't get user.

I'm curious as to why the Passport class is static because mostly everything in Laravel uses facades and the service container. If there isn't a concrete reason, would it be acceptable to create a PR for it?

Thanks!

It's more of a detail than issue maybe but nevertheless I'll just address it here.
(experience with L5.3 & vue/vue-resource/vue-router is good).

1. In vue-router with router.beforeEach there's an ajax call to /api/user
2. get Unauthenticated and 401 which is good.
3. I log in asynchronously, getting my user data switching pages, also good.
4. Then I log out, I like things to be asynchronous so I log out via ajax post request.
5. I switch pages and notice I'm still logged in.
6. until I refresh then I'm logged out and getting nr. 2, which I would prefer to have without having to refresh the page.

In the meanwhile I'll try to figure it out myself. While yes I could refresh the page with javascript or whatever I think this would be a nice detail to not have to refresh page to actually be logged out with one page applications.

I am developing locally on Homestead

Route/api.php:
Route::get('/users', 'ApiController@users')->middleware('auth:api');

Controllers/ApiController.php:

`class ApiController extends Controller
{

public function users() {

    return response()->json([
        'name' => 'Test',
        'state' => 'State'
    ]);
}

}

`

php artisan route:list provides:
api/users | | App\Http\Controllers\ApiController@users | api,auth:api

So i am successfully getting a password token via /oauth/token, however I am then unable to use the token in a request to the above, instead I am getting 404'd.

Is anyone aware of this issue, or know of the best way to debug the setup?
Cheers

I have {error: "Unauthenticated."}
when GET /api/user

headers:
Accept:application/json
Authorization:Bearer 16dd63d4ba079478273850acac2fd1a9c9d46ee26dba31a8b12cc3ffbbbe871f7e742fef6c1f492a
...

SELECT * FROM oauth_access_tokens

16dd63d4ba079478273850acac2fd1a9c9d46ee26dba31a8b12cc3ffbbbe871f7e742fef6c1f492a 1 1 Site [] 0 2016-08-28 21:45:07 2016-08-28 21:45:07 2116-08-28 21:45:07

and catch OAuthServerException

OAuthServerException {#196
-httpStatusCode: 401
-errorType: "access_denied"
-hint: "The JWT string must have two dots"
-redirectUri: null
#message: "The resource owner or authorization server denied the request."
#code: 9
#file: "/home/vagrant/code/givman/vendor/league/oauth2-server/src/Exception/OAuthServerException.php"
#line: 165

League\OAuth2\Server\Exception\OAuthServerException: The resource owner or authorization server denied the request. in /home/vagrant/code/givman/vendor/league/oauth2-server/src/Exception/OAuthServerException.php:165
Stack trace:
#0 /home/vagrant/code/givman/vendor/league/oauth2-server/src/AuthorizationValidators/BearerTokenValidator.php(77): League\OAuth2\Server\Exception\OAuthServerException::accessDenied('The JWT string ...')
#1 /home/vagrant/code/givman/vendor/league/oauth2-server/src/ResourceServer.php(82): League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator->validateAuthorization(Object(Zend\Diactoros\ServerRequest))
#2 /home/vagrant/code/givman/vendor/laravel/passport/src/Guards/TokenGuard.php(109): League\OAuth2\Server\ResourceServer->validateAuthenticatedRequest(Object(Zend\Diactoros\ServerRequest))
#3 /home/vagrant/code/givman/vendor/laravel/passport/src/Guards/TokenGuard.php(89): Laravel\Passport\Guards\TokenGuard->authenticateViaBearerToken(Object(Illuminate\Http\Request))
#4 /home/vagrant/code/givman/vendor/laravel/passport/src/PassportServiceProvider.php(207): Laravel\Passport\Guards\TokenGuard->user(Object(Illuminate\Http\Request))
#5 [internal function]: Laravel\Passport\PassportServiceProvider->Laravel\Passport{closure}(Object(Illuminate\Http\Request))
#6 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Auth/RequestGuard.php(53): call_user_func(Object(Closure), Object(Illuminate\Http\Request))
#7 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Auth/GuardHelpers.php(49): Illuminate\Auth\RequestGuard->user()
#8 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Auth/Middleware/Authenticate.php(61): Illuminate\Auth\RequestGuard->check()
#9 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Auth/Middleware/Authenticate.php(41): Illuminate\Auth\Middleware\Authenticate->authenticate(Array)
#10 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(137): Illuminate\Auth\Middleware\Authenticate->handle(Object(Illuminate\Http\Request), Object(Closure), 'api')
#11 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(33): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#12 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Routing/Middleware/SubstituteBindings.php(41): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#13 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(137): Illuminate\Routing\Middleware\SubstituteBindings->handle(Object(Illuminate\Http\Request), Object(Closure))
#14 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(33): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#15 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(48): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#16 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(137): Illuminate\Routing\Middleware\ThrottleRequests->handle(Object(Illuminate\Http\Request), Object(Closure), '60', '1')
#17 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(33): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#18 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(104): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#19 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Routing/Router.php(644): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#20 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Routing/Router.php(618): Illuminate\Routing\Router->runRouteWithinStack(Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request))
#21 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Routing/Router.php(596): Illuminate\Routing\Router->dispatchToRoute(Object(Illuminate\Http\Request))
#22 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(267): Illuminate\Routing\Router->dispatch(Object(Illuminate\Http\Request))
#23 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(53): Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http{closure}(Object(Illuminate\Http\Request))
#24 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php(46): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#25 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(137): Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode->handle(Object(Illuminate\Http\Request), Object(Closure))
#26 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(33): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#27 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(104): Illuminate\Routing\Pipeline->Illuminate\Routing{closure}(Object(Illuminate\Http\Request))
#28 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(149): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#29 /home/vagrant/code/givman/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(116): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(Illuminate\Http\Request))
#30 /home/vagrant/code/givman/public/index.php(53): Illuminate\Foundation\Http\Kernel->handle(Object(Illuminate\Http\Request))
#31 {main}

Hi,
I have a project where I have changed the User model primary key from "id" to "MemberID" using the following command in my User.php model file:

protected $primaryKey = 'MemberID'

This seems to be an issue when using passport because it expects user()->id inside ClientController.php.
Changing the two functions to use user()->MemberID fixes the issue, but would be overwritten by composer since it is inside the vendor folder.

Is there a way around this that do not involve changing the functions inside ClientController.php?

Best regards
Totto

So I followed Taylors introduction to Passport on Laracasts and when I attempted to POST to the OAuth server /oauth/token URL with the newly acquired code I get a 'homestead.oauth_clients' doesn't exist' error.

In other words it's using the wrong database connection! I set this up using SQLite and even hard coded 'default' => 'sqlite' in config/database.php. (.env is also set correctly)

In the end I had to add protected $connection = 'sqlite'; to the Laravel\Passport\Client.php file to get it to work. Obviously this is not really a suitable fix. Just wondering where I might look to see where it determines the connection to use.

Here is the complete errorlog for reference:

[2016-09-10 03:17:10] local.ERROR: exception 'PDOException' with message 'SQLSTATE[42S02]: Base table or view not found: 1146 Table 'homestead.oauth_clients' doesn't exist' in D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Connection.php:333
Stack trace:
#0 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Connection.php(333): PDO->prepare('select * from `...')
#1 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Connection.php(754): Illuminate\Database\Connection->Illuminate\Database\{closure}(Object(Illuminate\Database\MySqlConnection), 'select * from `...', Array)
#2 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Connection.php(717): Illuminate\Database\Connection->runQueryCallback('select * from `...', Array, Object(Closure))
#3 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Connection.php(351): Illuminate\Database\Connection->run('select * from `...', Array, Object(Closure))
#4 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Query\Builder.php(1645): Illuminate\Database\Connection->select('select * from `...', Array, true)
#5 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Query\Builder.php(1631): Illuminate\Database\Query\Builder->runSelect()
#6 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Eloquent\Builder.php(613): Illuminate\Database\Query\Builder->get(Array)
#7 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Eloquent\Builder.php(318): Illuminate\Database\Eloquent\Builder->getModels(Array)
#8 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Eloquent\Builder.php(288): Illuminate\Database\Eloquent\Builder->get(Array)
#9 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Eloquent\Builder.php(168): Illuminate\Database\Eloquent\Builder->first(Array)
#10 [internal function]: Illuminate\Database\Eloquent\Builder->find('3')
#11 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Eloquent\Model.php(3515): call_user_func_array(Array, Array)
#12 [internal function]: Illuminate\Database\Eloquent\Model->__call('find', Array)
#13 [internal function]: Laravel\Passport\Client->find('3')
#14 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Database\Eloquent\Model.php(3529): call_user_func_array(Array, Array)
#15 D:\Dev\Passport\vendor\laravel\passport\src\ClientRepository.php(15): Illuminate\Database\Eloquent\Model::__callStatic('find', Array)
#16 D:\Dev\Passport\vendor\laravel\passport\src\ClientRepository.php(15): Laravel\Passport\Client::find('3')
#17 D:\Dev\Passport\vendor\laravel\passport\src\ClientRepository.php(26): Laravel\Passport\ClientRepository->find('3')
#18 D:\Dev\Passport\vendor\laravel\passport\src\Bridge\ClientRepository.php(37): Laravel\Passport\ClientRepository->findActive('3')
#19 D:\Dev\Passport\vendor\league\oauth2-server\src\Grant\AbstractGrant.php(160): Laravel\Passport\Bridge\ClientRepository->getClientEntity('3', 'authorization_c...', 'yExYq8aAYCbbtB6...', true)
#20 D:\Dev\Passport\vendor\league\oauth2-server\src\Grant\AuthCodeGrant.php(74): League\OAuth2\Server\Grant\AbstractGrant->validateClient(Object(Zend\Diactoros\ServerRequest))
#21 D:\Dev\Passport\vendor\league\oauth2-server\src\AuthorizationServer.php(180): League\OAuth2\Server\Grant\AuthCodeGrant->respondToAccessTokenRequest(Object(Zend\Diactoros\ServerRequest), Object(League\OAuth2\Server\ResponseTypes\BearerTokenResponse), Object(DateInterval))
#22 D:\Dev\Passport\vendor\laravel\passport\src\Http\Controllers\AccessTokenController.php(63): League\OAuth2\Server\AuthorizationServer->respondToAccessTokenRequest(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response))
#23 D:\Dev\Passport\vendor\laravel\passport\src\Http\Controllers\HandlesOAuthErrors.php(25): Laravel\Passport\Http\Controllers\AccessTokenController->Laravel\Passport\Http\Controllers\{closure}()
#24 D:\Dev\Passport\vendor\laravel\passport\src\Http\Controllers\AccessTokenController.php(64): Laravel\Passport\Http\Controllers\AccessTokenController->withErrorHandling(Object(Closure))
#25 [internal function]: Laravel\Passport\Http\Controllers\AccessTokenController->issueToken(Object(Zend\Diactoros\ServerRequest))
#26 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Routing\ControllerDispatcher.php(47): call_user_func_array(Array, Array)
#27 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Routing\Route.php(190): Illuminate\Routing\ControllerDispatcher->dispatch(Object(Illuminate\Routing\Route), Object(Laravel\Passport\Http\Controllers\AccessTokenController), 'issueToken')
#28 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Routing\Route.php(144): Illuminate\Routing\Route->runController()
#29 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Routing\Router.php(642): Illuminate\Routing\Route->run(Object(Illuminate\Http\Request))
#30 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(53): Illuminate\Routing\Router->Illuminate\Routing\{closure}(Object(Illuminate\Http\Request))
#31 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Pipeline\Pipeline.php(104): Illuminate\Routing\Pipeline->Illuminate\Routing\{closure}(Object(Illuminate\Http\Request))
#32 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Routing\Router.php(644): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#33 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Routing\Router.php(618): Illuminate\Routing\Router->runRouteWithinStack(Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request))
#34 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Routing\Router.php(596): Illuminate\Routing\Router->dispatchToRoute(Object(Illuminate\Http\Request))
#35 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Foundation\Http\Kernel.php(267): Illuminate\Routing\Router->dispatch(Object(Illuminate\Http\Request))
#36 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(53): Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http\{closure}(Object(Illuminate\Http\Request))
#37 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode.php(46): Illuminate\Routing\Pipeline->Illuminate\Routing\{closure}(Object(Illuminate\Http\Request))
#38 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Pipeline\Pipeline.php(137): Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode->handle(Object(Illuminate\Http\Request), Object(Closure))
#39 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Routing\Pipeline.php(33): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(Illuminate\Http\Request))
#40 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Pipeline\Pipeline.php(104): Illuminate\Routing\Pipeline->Illuminate\Routing\{closure}(Object(Illuminate\Http\Request))
#41 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Foundation\Http\Kernel.php(149): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#42 D:\Dev\Passport\vendor\laravel\framework\src\Illuminate\Foundation\Http\Kernel.php(116): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(Illuminate\Http\Request))
#43 D:\Dev\Passport\public\index.php(54): Illuminate\Foundation\Http\Kernel->handle(Object(Illuminate\Http\Request))
#44 {main}

Based on my reading of the code and the docs, it seems that, in order to make use of the CreateFreshApiToken middleware, the user must first authenticate with a GET request, at which point the middleware kicks in and sends the cookie back with the response. Does this mean that, for my own JS application utilizing my API, I would have a special API endpoint that does auth the old-fashioned way (e.g., username/password), and then this middleware would take over authorization from that point, and the rest of my endpoints can pretend like the user was authenticated through OAuth?

If so, ordinarily I would design my login endpoint to use a POST, but the code seems to only create the cookie on a GET. Does that mean that my login endpoint has to use a GET in order for this middleware to work, or am I misunderstanding the intent?

CreateFreshApiToken middleware should issue laravel_token cookie if post request is coming through ajax, so that one can allow user to login with ajax for ex. vue-resource.

for now because of this i can send authentication data using vue resource to server, but because of issuing token only for get request it's not returning laravel_token cookie so user can not access api correctly if login is done using ajax.

for example
return $request->isMethod('GET') && $request->user();

can be
return ($request->isMethod('GET') || $request->ajax() ) && $request->user();

I noticed that the package doesn't have support for client_credentials and implicit grant types.

Studying the OAuth2 standard I understand that these two grant types are needed for server to server authorization and are important to give access to our API by external software in a trusted way without user workflow. Furthermore implicit grant type is needed to issue the SDK to give access to external developers to develop frontend application based on our APIs.

Mine is just a curiosity which could also be the same of many others Laravel lovers: "Is the implementation of this grant types in the package to-do list?"

Or in good Laravel style could be developed a workflow to extend OAuth server capability.

Thanks in advance if you want give us some anticipation.

Hi,

Each time the user is redirected to oauth/authorize it shows up the authorization form, even if the user previously approved the authorization.

It shouldn't ask the user only once ? Or I'm missing something ?

Thank you.

Hi, I found this

'openssl' is not recognized as an internal or external command, operable program or batch file.

when running

php artisan passport:install

on Windows without openssl installed.

Hi,

I want to add some user info into my JWT. It can be done by changing the response type of the authorization server with bearer token supporting extra params.

Ref: https://github.com/thephpleague/oauth2-server/blob/master/tests/ResponseTypes/BearerTokenResponseWithParams.php

But I am not sure how can I change the response type inside the passport.

Hello,

I tried installing passport and following the tutorial and the first time it all worked fine but later on, I broke something and decided to start fresh. I deleted the database and got a fresh copy of Laravel.

Now when I tried to follow the exact same tutorial on the Docs and the video Taylor made i get some issues. I don't know what's causing them and I don't know how to fix them.

Here are the issues.

When i click the delete buttons i get this message

I have used a new database and i tried in incognito and cleared all my browsers cookies and cache.

I have asked on IRC but no one can help me.

Hi,

As you know when we use other Drivers like mongodb that needs to override these models. That would be nice if you could put a config to change these models based on developers needs Like you did with User Model.

Regards

Hi, I am having a try at passport, but when i use php artisan passport:install, some error happened below, do you konw how to solve it?
WARNING: can't open config file: /z/extlib/2016Q2_/ssl/openssl.cnf
Generating RSA private key, 4096 bit long modulus
.....................................................................++
...................................................++
unable to write 'random state'
e is 65537 (0x10001)
WARNING: can't open config file: /z/extlib/2016Q2_/ssl/openssl.cnf
writing RSA key

Hi i got a strange error. And i think it might be in the package?

I cant authorize my tokens.

My current code -> https://gist.github.com/Tjoosten/b1f691bb0b9b4e8be1fce9c7c49166af

According to the newest spark release and the tweet i would like to know, how to use passport with spark. Because spark isn´t really comfortable with .vue files.. :/

With a fresh install following the https://laracasts.com/series/whats-new-in-laravel-5-3/episodes/13

If you continuously hit an API route every 5 seconds for example the limit is never reset. I am guessing this is a bug as a user will never be idle for 60 seconds.

Many Thanks.

Edit:
I should add. this is using the CreateFreshApiToken.

Http controllers have their own exception handler. In a trait.
Why?

This thing triggers only report method on the main ExceptionHandler and returns a plaintext response to the client without any chance to override.
Why?

There is some communication standard on every API and this error handling breaks it. Besides that, even in case of hard 500 it writes the error message to the client in plain text REGARDLESS the environment and production settings. All the SQL errors containing sensitive informations et vice versa are exposed.
GOD, WHY?

Only chance to override this is to write all the controllers again in project namespace. If these "prefabricated" controllers are here for making developer's life easier, why to hard-wire such crucial logic into them? Why not use a contract for injecting exception handler? If not, why not call the render method of application exception handler? Or anything else?

Regards,
RD

Hi, the first thank to the great package. I have a problem, when I change token on postman. The response return WEB login, and function expectsJson in unauthenticated Exception Handler is not working.
Please help me,
Thank you!

Hi Artisans

We have install laravel/passport and then try to install google/apiclient. Then its gives an error saying.

Problem 1
- Installation request for google/auth ^0.10.0 -> satisfiable by google/auth[v0.10].
- Conclusion: remove firebase/php-jwt v4.0.0
- Conclusion: don't install firebase/php-jwt v4.0.0
- google/auth v0.10 requires firebase/php-jwt ~2.0|~3.0 -> satisfiable by firebase/php-jwt[2.0.0, v2.1.0, v2.2.0, v3.0.0].

I think laravel/passport or it's foundation use newer version of firebase/php-jwt (v4). But google/apiclient
"satisfiable by firebase/php-jwt[2.0.0, v2.1.0, v2.2.0, v3.0.0]"

Is there anyway to install both of them withing same project.

Why the passport migrations don't have foreign keys? It's a good practice don't have foreign keys in migrations?

Is there an easy configuration to allow multiple access token per subject, so when user use different devices, old access tokens won't get revoke every time user request for a new access token on a different device

Hi Laravel Passport contributors,

I'm glad to see Laravel now has an official, integrated oauth 2 implementation. However, I notice that right now there is no way to separate the resource server and authorisation roles (as defined in the oauth 2 spec). That is to say, Passport cannot be setup purely to be a resource server which accepts and validates JWTs against a known authorisation sever's public key/certificate*.

Is this something that is envisioned in any roadmap of the package? (I don't see one documented anywhere, so perhaps those plans are in somebody's head?) I would be interested in contributing to the splitting of those roles, because I see this as a shortcoming of many other like packages.

Regards,
Andy

*Unless I'm very much mistaken. If somebody could point me in the right direction, that would be appreciated

Not sure if this is just using Laravel Valet or not.

Fresh install with laravel installer on Mac OS X El Capitan

    "laravel/framework": "5.3.*",
    "laravel/passport": "^1.0"

When doing valet secure on my project directory Vue Components for passport fail because all JSON responses are returned unparsed. Laravel returns the same output with either protocol so I was thinking it was something in vue-resource causing it, but I could never determine the cause.

I was able to fix the issue on https by wrapping all response.data references with JSON.parse()

Screenshot of unparsed client json string:

Following through the initial setup on a clean 5.3 install and getting this error when using php artisian route:list after adding in Passport::routes() to the AuthServiceProvider.

[Symfony\Component\Debug\Exception\FatalThrowableError]
  Call to undefined method Laravel\Passport\Http\Controllers\AuthorizationController::getMiddleware()

Right now it is hard coded with email in the
passport/src/Bridge/UserRepository.php line number 42

$user = (new $model)->where('email', $username)->first();

how to override it to username?

I know that the Grant-Type client_credentials isn't in the documentation, but it is explicitly enabled in the ServiceProvider

Requesting a access token works, but after that it always says unauthorized. I think it is because the user_id isn't set in the table 'oauth_access_tokens'.

Is the bug that 'client_credentials' is enabled or that you can't authenticate afterwards? Are there plans to support it?

It feels a bit strange to get a client ID as the primary key of oauth_clients @taylorotwell
Would it not make sense to provide a uuid field for that ?

What about firing Passport events throughout the process? There are several reasons why someone might be interested in these details. One might be for logging when someone gets a token (see: thephpleague/oauth2-server#628).

For example: in Laravel\Passport\Bridge\RefreshTokenRepository::persistNewRefreshToken(), I added event('passport.refresh', $refreshTokenEntity->getAccessToken()->getUserIdentifier()); to the bottom of the method, because I needed to know when a refresh token is created, and for whom.

It would be nice if Passport had these types of events natively.

I followed the exact steps mentioned in the Laracast : What's New in Laravel 5.3: Laravel Passport to implement api authentication using oauth2.

My web.php file in the client/consumer project looks like:

use Illuminate\Http\Request;


Route::get('/', function () {
$query = http_build_query([
     'client_id' => 2,
     'redirect_uri' => 'http://offline.xyz.com/callback',
     'response_type' => 'code',
     'scope' => '',
    ]);

return redirect ('http://api.xyz.com/oauth/authorize?'.$query);
});

Route::get('/callback', function (Request $request){
$client = new GuzzleHttp\Client;

$response = $http->post('http://api.xyz.com/oauth/token',[
    'form_params' => [
            'grant_type' => 'authorization_code',
            'client_id' => 2 , 
            'client_secret' => 'tUGYrNeWCGAQt220n88CGoXVu7TRDyZ20fxAlFcL' ,
            'redirect_uri' => 'http://offline.xyz.com/callback',
            'code' => $request->code,
        ],
    ]);

return json_decode((string) $response->getBody(), true);
});

Not to mention, I have implemented the vue components as well and client with id = 2 exists.

I am getting the permission request page where I need to authorize to allow my client to access the api. But, once I click authorize, I am being redirected to the page where it shows the following message:
{"error":"invalid_client","message":"Client authentication failed"}

How to resolve this?

I did not install laravel/passport in the offline project. Am I missing out something? I have followed and implemented what exactly was mentioned in the video tutorial. Do I have to include something else that I'm not aware of? (I have a very basic knowledge on oauth2).

If it helps, I am trying to implement an offline system which will periodically send data to an online system when there is an internet connection. So I thought I can build an api and send post request with information to be stored.

i am following laracasts video to set up passport, but it's giving the exception on Guzzle request in callback

code :

Route::get('/', function () {
     $query = http_build_query([
        'client_id' => 1,
        'redirect_url' => 'http://consumer.dev/callback',
        'response_type' => 'code',
        'scope' => ''
      ]);

     return redirect('http://passport.dev/oauth/authorize?'.$query);
});

Route::get('/callback', function (Request $request) {
    $http = new GuzzleHttp\Client;

    $response = $http->post('http://passport.dev/oauth/token', [
        'form_params' => [
            'grant_type' => 'authorization_code',
            'client_id' => 1,
            'client_secret' => 'JzyOQCKcmVHt5wgjtS45iAz3rcPKbiCUnd0rNfOj',
            'redirect_uri' => 'http://consumer.dev/callback',
            'code' => $request->code,
        ],
    ]);

    return json_decode((string) $response->getBody(), true);
});

it seems the redirect_uri is null in $authCodePayload in file AuthCodeGrant.php line number 97 after decrypting the authcode value.

I want to add other fields in password grant login credentials besides username and password, for example, Captcha, two-step-verification.
How to do that
thx

Sorry for asking a question here, but I tried elsewhere and no one could answer.

Let's say I have a mobile app in which the user can login with Facebook. If it was on the web, after the authorization I would have this: auth()->login($user); but I'm not sure how to do this with Passport.

The use does have a createToken() method, but how do I get the refresh token so I can have a reponse like this?

{
  "token_type": "Bearer",
  "expires_in": 3155673600,
  "access_token": "eyJ0eXAiOiJK...",
  "refresh_token": "LbxXGlD2s..."
}

These tokens should expire just the same as regular client token correct?

I've set this up in AuthServiceProvider for testing:

Passport::tokensExpireIn(Carbon::now()->addMinute());
Passport::refreshTokensExpireIn(Carbon::now()->addMinute());

Yet i'm still authenticated well after that token should have been expired. Carbon is setup correctly, as I can output Carbon::now() directly as 2016-08-18 16:32:07.

I just noticed in the database the expires_at column is being written as: 2116-08-18 16:09:38. Very strange, all personal tokens seem to be adding 100 years.

I call:

http://mysite.dev/oauth/authorize?client_id=xyoZZOVmyp1LylNVqJyOM41FDg1LICGpug71SfZX&redirect_uri=http://my-site.com/callback&response_type=code

And view on page:

SQLSTATE[22P02]: Invalid text representation: 7 ERROR: invalid input syntax for integer: "xyoZZOVmyp1LylNVqJyOM41FDg1LICGpug71SfZX" (SQL: select * from "oauth_clients" where "oauth_clients"."id" = xyoZZOVmyp1LylNVqJyOM41FDg1LICGpug71SfZX limit 1)

Is there a way to do this with the current code if I request input of a parameter and pass it something like passport.dev?token=personalToken ?

I couldn't figure out how to check if a token is valid or not, was going to implement a custom middleware for this. I have an old intranet app that doesn't work very well passing Header information for the documented Authorization Bearer method.

I'm very new to VueJS so forgive me if I've missed something obvious. I've setup the Laravel passport project in a fresh Laravel 5.3 install, and it's all working great except that the Vue components need to have an explicit JSON.parse() call where ever they do a $http.post(). e.g. Line 260 of resources/assets/js/components/passport/Clients.Vue

getClients() {
  this.$http.get('/oauth/clients')
    .then(response => {
      this.clients = JSON.parse(response.data);
    });
},

My guess is, there's some intercepter somewhere that's supposed to do this for you? Maybe I'm missing an npm dependency?

Once I do the JSON.parse fix to the 3 passport Vue components, everything works fine. If I don't do this, I get all sorts of JS errors and weird issues with rendering.

Hi Tayler,
Small niggle, but the user_id columns being a regular integer is causing problems when using longer user_ids like the ones generated from apps like Facebook.

I've created a migration to change them to bigIntegers but it would be nice if they used big integers right out of the box.

Hi, I just implement Throttles on my JWT api server, using ThrottlesLogins trait and overriding some method, I think thats good idea if the Passport also has a ThrottlesLogins feature.

Hi,

I've just downloaded the latest rc of 5.3 (using laravel new --dev) and I'm trying to install passport, but I'm getting the following:

Problem 1
- Installation request for laravel/passport ^0.2.4 -> satisfiable by laravel/passport[v0.2.4].
- laravel/passport v0.2.4 requires illuminate/auth ~5.3 -> satisfiable by illuminate/auth[5.3.x-dev, 5.4.x-dev] but these conflict with your requirements or minimum-stability.

Is there some issue with versions that needs to be fixed in the composer.json for either passport or 5.3 or am I just going about this the wrong way?

Thanks,

Jamie

Hola, disculpen, tengo el siguiente error, espero que me puedan ayudar.
[Vue warn]: Error when evaluating expression "token.name": TypeError: Cannot read property 'name' of undefined (found in component: <passport-personal-access-tokens>)
https://laracasts.com/discuss/channels/vue/laravel-53-passport-vue-error-error-when-evaluating-expression

Gracias.

Unless the token has expired, the consumer has explicitly requested re-auth or the scopes have changed, we shouldn't need to continue showing the auth screen.

i tried to delete revoked access tokens using Passport::pruneRevokedTokens(); but it does not remove any revoked personal access tokens revoked using $token->revoke() as described in https://laracasts.com/discuss/channels/laravel/passport-how-can-i-manually-revoke-access-token
but in database it sets revoked column value to 1

I am using the password grant. When I request a new access token, all existing access tokens are revoked / deleted.

But the refresh tokens for the revoked access tokens are not revoked / deleted. So you end up with lots of not-revoked refresh tokens pointing to non existing or revoked access tokens in your Database (depending on Passport::pruneRevokedTokens(); ).

As an aside: see #83 - I think an option to allow multiple access tokens for one client_id would be really nice (say iPad, iPhone and Android logged in at the same time)!

I'm trying to create a Personal Access Token to use on Postman.

I followed the same steps as the video from "What's new in Laravel 5.3" where Taylor does that, but I keep getting "Unauthorized" on Postman...

By copying and pasting the generated token on jwt.io, I'm getting "exp" value = 0. Trying to get to the root of the error, I found out that on the "validation" process, it fails exactly on the "exp" validation.

Does anyone have any idea what is happening?

My topic on Laracasts:
https://laracasts.com/discuss/channels/laravel/laravel-passport-personal-token-failing-validation-exp0

Another user with the same problem:
https://laracasts.com/discuss/channels/laravel/laravel-passport-and-postman-gets-all-the-time-unauthorised