So i am currently developing a web app that will use laravel api for future mobile use and laravel passport. My passport is set up to where i used postman to login, register, and delete an account, the usual functions. The laravel API also works independently as can make the requests from my routes.
Using Passport, i log in, and it returns a token, in which if i am correct, is the token that will be used for the API. Now upon creating the api, which will be accepting the forms/parameter to the main function for my app, How do i use the token i received from Passport with the API?
In the request to the API do i need to ask for the user's token and if so how to check that its a token that can be used from my application. It's this middle part of connecting them i cannot understand, as I can make the passport work by itself, and the laravel api by itself that im just sending the posts/get from postman and getting my json responses that ill use later for my js frontend.
In config/auth.php replace api -> driver to password, and consequently you can use the same Auth::user() method to login through Password API tokens. Don't forget to pass the token as Authorization header from front-end side wi the key Bearer.
You just need to install passport and then you will get client secret key.
Then you need call API using passport default route like http://192.000.0.000:8000/oauth/token with some parameters like:
client_id = 1,
client_secret = xxxxxxxxxxxxxxxx,
grant_type = client_credentials
username = hanna.stracke#example.org
password = secret
scope = *
Then hit the URL then you will get "access_token". using access_token you will login the user.
Thanks,
Related
I am creating a new rest API using Laravel 5.6. For API authorization, I have implemented Passport and it is working fine.
However, I want a system where anyone who wants to access any route of my API including register and login that requires token.
I am thinking in this way but not so sure how I can implement in Laravel.
I will issue one static token and will store into database.
I will encrypt that token and will provide to the client in my case
mobile app.
Mobile side the token I will store into shared preference so no one
will have direct access.
When mobile send a request to access any route of API, it has to pass the token in the header with the custom key
API will decrypt the token and match with the database one.
If it matches that will allow accessing the API.
Then later I may use the Passport token to add additional layer or security.
My question is,
How to implement this system in Laravel so I don't have to write code
for every request and all request pass through this validation?
I started with an API inside Laravel with the JWT package, another Laravel frontend installation should be able to login to this Laravel API, but im not really sure how to handle this the right way.
My setup is like this:
Laravel API -> receives POST login -> returns a token and a user model -> Laravel frontend receives this data
But then what? How would I 'auth' the right way inside the Laravel frontend part?
Just set my own sessions and check that way? Any suggestions would be nice! :)
First you authenticate with the Laravel API, performing the POST request as you mentioned. This should provide you your JWT or access_token, along with a refresh token.
You then append this token to your requests in the Authorization header.
So the key is Authorization and the value will be Bearer <access_token>.
Finally your routes must have the correct middleware to require a valid token, for example the auth middleware.
I am implementing an api in laravel.
what I want is my api should not be accessible from anywhere except from android/ios app.I googled and came to know that I can make use of API KEY.
But I am not sure is it correct way or not.
Currently using OAuth2 for user authentication.
Please help.
What you want to do is to create a token for each user, save it in the client's device , verify it in each request that the client makes.
So basically you want to:
Make a column for the token in the users table
generate the token when the user registers
make a login route so that the user would login with his email,password and he will getback the token to store in the device
make a middleware that would check for the token in each request ( except for the login )
I wrote an article of the exact same thing you want
https://medium.com/#alhasaniq/how-to-add-token-based-authentication-to-laravel-app-s-to-use-in-api-s-1a0e45f9106#.15e3f9quu
What I am trying to do ?
I am trying to build api for online booking flight so that other travel agency can use that api. It have function to search the flight, show the search result,book the flight and online payment.So, for the authorization I am planning to use oAuth. When the user visit the travel agency site they can search,book the flight and can do payment .Here, they don't have to authenticate for searching the flight and booking but payment is done by using third party. What I am trying to do is that when user is using the api they don't need authentication but we should authorize that the user is from valid site or not so I am using the oauth grant type client credentials
What I have done ?
I am trying to use the laravel package lucadegasperi/oauth2-server-laravel for the oauth. I had successful install the package on my project and done configuration according to the information provided from here https://github.com/lucadegasperi/oauth2-server-laravel/wiki. I had tested to get access token using the chrome extension postman .
What I am confused about ?
If I share the client_id and client_secret on the client side then any other user can use that client id and client secret and use our api . How can I generate the access token after user submit search button and used that token for the other process like showing search result, booking etc.
So, my question are
Am I using right grant type for authorization ? If not , which will
be the suitable for this?
How can I use client_id and client_secret so that we can authorize
site securely ?
You can write a Wrapper application that will contain your Client_Id, Client_secret. and your wrapper application will manage Access token as well.
Idea is:
Whenever any request will come to your wrapper, then it will look if there is any Access token exist in the cache, if yes, then take that token and make a final request to your application and grab data based on your token.
If Token doesn't exist in Cache then Wrapper app will make a token request based on your Client_id and Client Secret and get a token and store token for next call.
By this way, your application does not expose your credentials & token at publically.
I have some code that will let the user login via linked in using the oauth v1 api. That returns two keys back to me which are user token and user secret.
I have tried using them with the v2 api but it seems as though it wants oauth2_access_token.
Is there any way to use the user token and user secret to make api calls?
If not is there a way to convert user token and user secret to the new oauth2_access_token needed for v2?
If not is there any way to have v2 check to see if the user has authenticated the app and return the new v2 key?
If you have already setup OAuth v1 authentication successsfully, I would suggest you stick to it, as Linkedin will be supporting both authentication schemes moving forward. You can use all of the API functions with both authentications schemes. I don't see any reason to rewrite your authentication scheme.