mf

Set Up an OAuth2 Server Using Passport in Laravel

Leave a Comment / By /

In this article, we’re going to explore how you could set up a fully fledged OAuth2 server in Laravel using the Laravel Passport library. We’ll go through the necessary server configurations along with a real-world example to demonstrate how you could consume OAuth2 APIs.

I assume that you’re familiar with the basic OAuth2 concepts and flow as we’re going to discuss them in the context of Laravel. In fact, the Laravel Passport library makes it pretty easy to quickly set up an OAuth2 server in your application. Thus, other third-party applications are able to consume APIs provided by your application.

In the first half of the article, we’ll install and configure the necessary libraries, and the second half goes through how to set up demo resources in your application and consume them from third-party applications.

Server Configurations

In this section, we’re going to install the dependencies that are required in order to make the Passport library work with Laravel. After installation, there’s quite a bit of configuration that we’ll need to go through so that Laravel can detect the Passport library.

Let’s go ahead and install the Passport library using composer.

$composer require laravel/passport

That’s pretty much it as far as the Passport library installation is concerned. Now let’s make sure that Laravel knows about it.

Working with Laravel, you’re probably aware of the concept of a service provider that allows you to configure services in your application. Thus, whenever you want to enable a new service in your Laravel application, you just need to add an associated service provider entry in the config/app.php.

If you’re not aware of Laravel service providers yet, I would strongly recommend that you do yourself a favor and go through this introductory article that explains the basics of service providers in Laravel.

In our case, we just need to add the PassportServiceProvider provider to the list of service providers in config/app.php as shown in the following snippet.

...
...
'providers' => [

        /*
         * Laravel Framework Service Providers...
         */
        IlluminateAuthAuthServiceProvider::class,
        IlluminateBroadcastingBroadcastServiceProvider::class,
        IlluminateBusBusServiceProvider::class,
        IlluminateCacheCacheServiceProvider::class,
        IlluminateFoundationProvidersConsoleSupportServiceProvider::class,
        IlluminateCookieCookieServiceProvider::class,
        IlluminateDatabaseDatabaseServiceProvider::class,
        IlluminateEncryptionEncryptionServiceProvider::class,
        IlluminateFilesystemFilesystemServiceProvider::class,
        IlluminateFoundationProvidersFoundationServiceProvider::class,
        IlluminateHashingHashServiceProvider::class,
        IlluminateMailMailServiceProvider::class,
        IlluminateNotificationsNotificationServiceProvider::class,
        IlluminatePaginationPaginationServiceProvider::class,
        IlluminatePipelinePipelineServiceProvider::class,
        IlluminateQueueQueueServiceProvider::class,
        IlluminateRedisRedisServiceProvider::class,
        IlluminateAuthPasswordsPasswordResetServiceProvider::class,
        IlluminateSessionSessionServiceProvider::class,
        IlluminateTranslationTranslationServiceProvider::class,
        IlluminateValidationValidationServiceProvider::class,
        IlluminateViewViewServiceProvider::class,

        /*
         * Package Service Providers...
         */
        LaravelTinkerTinkerServiceProvider::class,

        /*
         * Application Service Providers...
         */
        AppProvidersAppServiceProvider::class,
        AppProvidersAuthServiceProvider::class,
        AppProvidersBroadcastServiceProvider::class,
        AppProvidersEventServiceProvider::class,
        AppProvidersRouteServiceProvider::class,
        LaravelPassportPassportServiceProvider::class,
],
...
...

Next, we need to run the migrate artisan command, which creates the necessary tables in a database for the Passport library.

$php artisan migrate

To be precise, it creates following the tables in the database.

oauth_access_tokens
oauth_auth_codes
oauth_clients
oauth_personal_access_clients
oauth_refresh_tokens

Next, we need to generate a pair of public and private keys that will be used by the Passport library for encryption. As expected, the Passport library provides an artisan command to create it easily.

$php artisan passport:install

That should have created keys at storage/oauth-public.key and storage/oauth-private.key. It also creates some demo client credentials that we’ll get back to later.

Moving ahead, let’s oauthify the existing User model class that Laravel uses for authentication. To do that, we need to add the HasApiTokens trait to the User model class. Let’s do that as shown in the following snippet.



The HasApiTokens trait contains helper methods that are used to validate tokens in the request and check the scope of resources being requested in the context of the currently authenticated user.


Further, we need to register the routes provided by the Passport library with our Laravel application. These routes will be used for standard OAuth2 operations like authorization, requesting access tokens, and the like.


In the boot method of the app/Providers/AuthServiceProvider.php file, let's register the routes of the Passport library.


...
...
/**
  * Register any authentication / authorization services.
  *
  * @return void
  */
public function boot()
{
    $this->registerPolicies();
    
    Passport::routes();
}
...
...


Last but not least, we need to change the api driver from token to passport in the config/auth.php file, as we're going to use the Passport library for the API authentication.


'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],


So far, we've done everything that's required as far as the OAuth2 server configuration is concerned.


Set Up the Demo Resources


In the previous section, we did all the hard work to set up the OAuth2 authentication server in our application. In this section, we'll set up a demo resource that could be requested over the API call.


We will try to keep things simple. Our demo resource returns the user information provided that there's a valid uid parameter present in the GET request.


Let's create a controller file app/Http/Controllers/UserController.php with the following contents.


get("uid", 0);
      $user = User::find($user_id);
      return $user;
    }
}


As usual, you need to add an associated route as well, which you are supposed to add in the routes/web.php file. But what we are talking about is the API route, and thus it needs special treatment.


The API routes are defined in the routes/api.php file. So, let's go ahead and add our custom API route as shown in the following snippet.


get('/user', function (Request $request) {
    return $request->user();
});

// custom API route
Route::middleware('auth:api')->get('/user/get', 'UserController@get');


Although we've defined it as /user/get, the effective API route is /api/user/get, and that's what you should use when you request a resource over that route. The api prefix is automatically handled by Laravel, and you don't need to worry about that!


In the next and last section, we'll discuss how you could create client credentials and consume the OAuth2 API.


How to Consume OAuth2 APIs


Now that we've set up the OAuth2 server in our application, any third party can connect to our server with OAuth and consume the APIs available in our application.


First of all, third-party applications must register with our application in order to be able to consume APIs. In other words, they are considered as client applications, and they will receive a client id and client secret upon registration.


The Passport library provides an artisan command to create client accounts without much hassle. Let's go ahead and create a demo client account.


$php artisan passport:client
Which user ID should the client be assigned to?:
 > 1

 What should we name the client?:
 > Demo OAuth2 Client Account

 Where should we redirect the request after authorization? [http://localhost/auth/callback]:
 > http://localhost/oauth2_client/callback.php

New client created successfully.
Client ID: 1
Client secret: zMm0tQ9Cp7LbjK3QTgPy1pssoT1X0u7sg0YWUW01


When you run the artisan passport:client command, it asks you a few questions before creating the client account. Out of those, there's an important one that asks you the callback URL.


The callback URL is the one where users will be redirected back to the third-party end after authorization. And that's where the authorization code that is supposed to be used in exchange for the access token will be sent. We are about to create that file in a moment.


Now, we're ready to test OAuth2 APIs in the Laravel application.


For demonstration purposes, I'll create the oauth2_client directory under the document root in the first place. Ideally, these files will be located at the third-party end that wants to consume APIs in our Laravel application.


Let's create the oauth2_client/auth_redirection.php file with the following contents.


 '1',
    'redirect_uri' => 'http://localhost/oauth2_client/callback.php',
    'response_type' => 'code',
    'scope' => '',
));

header('Location: http://your-laravel-site-url/oauth/authorize?'.$query);


Make sure to change the client_id and redirect_uri parameters to reflect your own settings—the ones that you used while creating the demo client account.


Next, let's create the oauth2_client/callback.php file with the following contents.


 'authorization_code',
        'client_id' => '1',
        'client_secret' => 'zMm0tQ9Cp7LbjK3QTgPy1pssoT1X0u7sg0YWUW01',
        'redirect_uri' => 'http://localhost/oauth2_client/callback.php',
        'code' => $_REQUEST['code']
    );

    curl_setopt($ch,CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

    $params_string = '';

    if (is_array($params) && count($params))
    {
        foreach($params as $key=>$value) {
            $params_string .= $key.'='.$value.'&';
        }

        rtrim($params_string, '&');

        curl_setopt($ch,CURLOPT_POST, count($params));
        curl_setopt($ch,CURLOPT_POSTFIELDS, $params_string);
    }

    $result = curl_exec($ch);
    curl_close($ch);
    $response = json_decode($result);
    
    // check if the response includes access_token
    if (isset($response->access_token) && $response->access_token)
    {
        // you would like to store the access_token in the session though...
        $access_token = $response->access_token;

        // use above token to make further api calls in this session or until the access token expires
        $ch = curl_init();
        $url = 'http://your-laravel-site-url/api/user/get';
        $header = array(
        'Authorization: Bearer '. $access_token
        );
        $query = http_build_query(array('uid' => '1'));

        curl_setopt($ch,CURLOPT_URL, $url . '?' . $query);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
        $result = curl_exec($ch);
        curl_close($ch);
        $response = json_decode($result);
        var_dump($result);
    }
    else
    {
        // for some reason, the access_token was not available
        // debugging goes here
    }
}


Again, make sure to adjust the URLs and client credentials according to your setup in the above file.


How It Works Altogether


In this section, we'll test it altogether from the perspective of an end user. As an end user, there are two applications in front of you:


    

  1. The first one is the Laravel application that you already have an account with. It holds your information that you could share with other third-party applications.
    2. 

  2. The second one is the demo third-party client application, auth_redirection.php and callback.php, that wants to fetch your information from the Laravel application using the OAuth API.
    3. 



The flow starts from the third-party client application. Go ahead and open the http://localhost/oauth2_client/auth_redirection.php URL in your browser, and that should redirect you to the Laravel application. If you're not already logged into the Laravel application, the application will ask you to do so in the first place.


Once the user is logged in, the application displays the authorization page.


If the user authorizes that request, the user will be redirected back to the third-party client application at http://localhost/oauth2_client/callback.php along with the code as the GET parameter that contains the authorization code.


Once the third-party application receives the authorization code, it could exchange that code with the Laravel application to get the access token. And that's exactly what it has done in the following snippet of the oauth2_client/callback.php file.


$ch = curl_init();
$url = 'http://your-laravel-site-url/oauth/token';

$params = array(
    'grant_type' => 'authorization_code',
    'client_id' => '1',
    'client_secret' => 'zMm0tQ9Cp7LbjK3QTgPy1pssoT1X0u7sg0YWUW01',
    'redirect_uri' => 'http://localhost/oauth2_client/callback.php',
    'code' => $_REQUEST['code']
);

curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$params_string = '';

if (is_array($params) && count($params))
{
    foreach($params as $key=>$value) {
        $params_string .= $key.'='.$value.'&';
    }

    rtrim($params_string, '&');

    curl_setopt($ch,CURLOPT_POST, count($params));
    curl_setopt($ch,CURLOPT_POSTFIELDS, $params_string);
}

$result = curl_exec($ch);
curl_close($ch);
$response = json_decode($result);


Next, the third-party application checks the response of the CURL request to see if it contains a valid access token in the first place.


As soon as the third-party application gets the access token, it could use that token to make further API calls to request resources as needed from the Laravel application. Of course, the access token needs to be passed in every request that's requesting resources from the Laravel application.


We've tried to mimic the use-case in that the third-party application wants to access the user information from the Laravel application. And we've already built an API endpoint, http://your-laravel-site-url/api/user/get, in the Laravel application that facilitates it.


// check if the response includes access_token
if (isset($response->access_token) && $response->access_token)
{
    // you would like to store the access_token in the session though...
    $access_token = $response->access_token;

    // use above token to make further api calls in this session or until the access token expires
    $ch = curl_init();
    $url = 'http://your-laravel-site-url/api/user/get';
    $header = array(
    'Authorization: Bearer '. $access_token
    );
    $query = http_build_query(array('uid' => '1'));

    curl_setopt($ch,CURLOPT_URL, $url . '?' . $query);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
    $result = curl_exec($ch);
    curl_close($ch);
    $response = json_decode($result);
    var_dump($result);
}


So that's the complete flow of how you're supposed to consume the OAuth2 APIs in Laravel.


And with that, we’ve reached the end of this article.


Conclusion


Today, we explored the Passport library in Laravel, which allows us to set up an OAuth2 server in an application very easily. 


For those of you who are either just getting started with Laravel or looking to expand your knowledge, site, or application with extensions, we have a variety of things you can study in Envato Market.


Don't hesitate to share your thoughts and queries using the feed below!

Powered by WPeMatico

Leave a Comment

Kate has been so helpful, patient with our constant changes and so professional in all respects. Many thanks and very done!
Club de Golf Javea
Club de Golf JaveaWebsite Redesign
Kate is the person to go to in regards to these matters. Had a lot of problems with my website, errors, payment issues and more. Every problem was resolved quickly and professionally and cannot recommend Kate's company highly enough. Personal and responsive service. 5 Stars!
WowVac Pro
WowVac ProE-Commerce Configuration
Best Developer in Spain! Outstanding web services no matter where you are in the world. Great support and attention to detail. Kate is a real life developer. She can work across multiple platforms and understands the technology your company is using on a line to line basis.
Favicon
Pure Organic CBDWeb development and support
Professional and rapid support for the development and ongoing maintenance of our business website. Nothing too much trouble. Highly recommended.
Cafeciclistalogo
Cafe CiclistaWeb maintenance
Superb service very professional and quick very responsive I was kept informed and consulted throughout the entire process.
Partnerchipz Black
Paul JacksonWeb design & Development
Kate Langshaw of Medianic is awesomely recommended by us for all your website needs. Kate translated our story and brand into an elegant, transparent and to the point representation of CaffèMilano -The Italian Coffee House.
CaffèMilano
CaffèMilanoWeb design and Development
Absolute Class service from Start to finish, nothing is too much hassle for them and will recommend to everybody looking to update or have their website designed by the Amazing Kate Langshaw
Dragon Insure
Dragon InsureWeb design and Development
I have to say that my experience with Medianic has been different to any previous. I have been constantly kept up to date, communication has been fluid, and we had no down time at all.
Dr Banuls
Dr BanulsWeb Hosting
I’m very happy about Kate’s work! Recommend her services to everybody. Looking for a good website builder/designer? Look no further and contact Medianic.
Voice Productions
Voice ProductionsWeb development
On Behalf of all at the Marina Alta Classic Car Club I would like to thank Kate for the wonderful work she did in Kick starting our Club website this year. I can highly recommend her. Thanks Kate
Marina Alta Car Club
Marina Alta Car ClubWeb Design
Excellent knowledge and service, competitive pricing too. Definitely a solid go to company. Thanks for the great results we’ve had
Jim JimneyDesign and Branding
Totally reliable, totally capable and totally delivers. I’m loving working with Kate to help grow my business. I’m full of motivation because of you Kate
Javea Blinds
Javea BlindsWeb Design
I cannot praise Medianic enough. They have built the Javea Connect website quickly and efficiently, taught and old dog new tricks and have been there for me, sometimes within minutes, when I needed help. Excellent service and very very competitively priced. Highly recommended for both website and design work. Kate is to be congratulated on such a high standard of work and customer loyalty.
Javea Connect
Javea ConnectWeb Design & Development
Medianic has done a outstanding job in creating our company website in such a short time at unbeatable prices, rovtec marine services recommended Medianic for their superior skill in Web design, thank you outstanding job!
Rovtech
RovtechWeb Design
The only thing that beat the quality of the work Medianic did for us was how quick and responsive they were whenever we had feedback or needed something extra. Would highly recommend.
Poker Encore
Poker EncoreCustom Programming
Previous
Next

Thank you!

For your kind words...
Scroll to Top