I just installed Passport and added Passport::routes() to my serviceprovider. It gave me these routes /oauth/token POST, /oauth/tokens GET, /oauth/token/{Token_id} DELETE.
I am using Password Grant Tokens for authentication(https://laravel.com/docs/5.6/passport#password-grant-tokens)
I ran the POST request to make a new token and it created the token just fine. But when I try to run the GET to see all the token, it returns an empty array. I have around 10 tokens already generated in my DB.
Shouldn't I be getting a list of all the oauth tokens that's stored in the database?
If not, Is there a way to index all the tokens for admin use?
The GET /oauth/tokens route returns all tokens for the currently authenticated user only, not all users.
To get all tokens, with their associated users, you can use the following.
\Laravel\Passport\Token::with('user')->get()
Related
Previously I generated the auth token based on the user credentials and it was worked fine.
I need to generate the token for guest users in which I did not have the credentials.
So I followed token generation using custom claims in JWT. Using this link I implemented.
When I try to access the apis using the custom claims token I am getting 401 unauthorized error.
I am using the previous auth system in which token is generated using the user credentials and also I need the custom claims token also to work.
Any help would be appreciated.
Check the guard on the middleware that control your route or the resource you are trying to access.
I have started a PHP project (A Project Management Item Tracking Tool) using an API centric approach and have made a fairly good start.
I have created 2 GET the methods so far I want to restrict access but don't know where to start.
In the context of my database
Project is the container that encapsulates different actionitems.
Actionitems are 'assigned' to a user.
Users exist in a database.
Roles as assigned to a user. (User, Admin, Super)
User can only update their own item
Admin had create and update privilege
Super has total administrative privilege
My question is: Where should I start in PHP to only allow
accessing the api via proper users, either via a login api, or some
other means? Any help to get started would get me going.
To start I have successfully created an endpoint to access access resource (actionitems) using a JSON string to test the response.
Existing Endpoints I want to restrict
GET /api/actionitems/
With a general structure to access specific resources within a table as follows:
GET /api/actionitems/4
Note additional api endpoints should be accessed as follows
each route as up to 3 route tokens (following the /api/)
GET /api/users/123/actionitems (get all actionitems for user 123)
GET /api/users/123/actionitems?<more-filers> applies further filtering
You need to handle authentication and authorization for your APIs.
These are very basic steps to understand the solution:
Client calls login API using user credentials(username, password).
Server authenticates user credentials and generates a token.
Server stores this token in database against authenticated user id and responds to client.
Server already has authorization role rights to access different APIs associated with this authenticated user in database.
Client calls resource APIs using token provided by login API.
Server verify token in database and fetch user and user role rights against this token for authorization.
Resource APIs authorize and provides required data or perform actions according to authenticated user role rights.
There are multiple ways to achieve this in standardize way:
3 Common Methods of API Authentication Explained
JSON Web Token
oAuth2.0
You probably want to look at JWT tokens
https://jwt.io/
Here's some quick informations
An API with a token is stateless, you have to send the token on every request , generally in the Authorization Header, the token can contain a payload with some data like the user id the creation and expiration time.
On the server side, when you receive a token with a request you can just find the user id inside the payload and find the corresponding user in the database.
Since the token cannot be modified without the private key you can trust the data you receive.
Then you can just check if the user has some Admin or Super admin roles or if the item belongs to him and send the correct response.
Note: The payload inside the token is public meaning that everyone can read it, don't put any sensive informations.
If you want to use some long term authentication you can use refresh token with jwt tokens, they are stored in the database and can be used to create a new jwt token.
Hope this can help.
I have read some tutorials and video tutorials and they explain how to create a api_token.
I know that I have to change the AuthController and I have to add a new field which it is api_token when a new user registers. I know that I have to add auth middleware in the routes, etc.
But what I dont understand is this...
1) A new user registers in the app.
2) The app create to the user an api_token automaticly.
but I wonder how this user will know which it is its api token because if this user turns off the computer and then it returns to the app how will this user know what it is its api token again? because he will not register again.
Thanks.
Have a look at Laravel Passport. Laravel Passport uses for instance an OAuth autherization. If you log in your application you get an access token and a refresh token. The access token is self explaining you basically get access to the application, the refresh token does refresh you access after a specific amount of time that value is typically written in a configuration file.
I am using an OAuth plugin for cakephp (thomseddon/cakephp-oauth-server) which am having some issues with at them moment.
I want to be able to allow access to my cakephp Rest with two calls
provision - This just adds in a Client id into my table
auth - using grant_type password I send over grant_type, username, password and client_id and return a access token.
Both these actions seem to be in working order and I am getting an access token back the problem is after I gain access I am still being kicked out by cakephp and redirected to the login page when I try an access one of the rest actions.
For example once I have an access key I send up a request to http://customer-server-2.dev/api/documents.json?access_token=xxxxxxxxxxxxxxxx
At this point I should have access because the access token is correct and works fine - but I don't I get redirected to the login in page.
If anyone can help me with this I would be eternally grateful.
There might be two problems
Your access token may be expired.Get a new access token and check
Check your scope when you are getting access token
I am developing a web application in Laravel. Now I'm in the process of creating an android app. I need to create a web service (back end) in Laravel, but I don't know how to manage the sessions (auth) in the request.
My idea is to create a unique token for every session, and store it in a database. So, every request need the token be included, and my backend will check if the token is valid or not.
How can I modify the login functionality that comes with Laravel 5.0 to create an return the token?
I read the documentation and some articles in the internet, but it is still not clear to me.
You can create a token during registration of the app which should correspond with the user id. This token will be used together with the user id anytime you call any of your api's to authenticate the user.
You can create a filter named custom_authentication and check for the token validity inside that filter. Now just apply this filter before every routes, which you want to be authenticated.
Using only simple authentication token is not very secure, you need to go with HTTPS always.
If you want to make the API secure with HTTP, you might have to implement OAuth with the help of packages like this.