Laravel: API with OAuth 2.0

1
votes

I am currently developing an API that I plan to secure using oauth2.

I have chosen: https://github.com/lucadegasperi/oauth2-server-laravel/

I have managed to secure the endpoint (using before=>oauth in my api routes) by following the installation guide but I am at a loss as to how am I gonna be able to authenticate and access the endpoint.

I do understand that you will first need to request an access_token by sending a client_id and client_secret but what I don't get is where do I set those on the oauth server?

I see the oauth controller has endpoints for these like:

http://somedomain.com/oauth/authorize

http://somedomain.com/oauth/access_token

But I am clueless with what to do with them. I only managed to arrive at the conclusion that it needs a client_id, client_secret, and stuff about scopes.

Where can I set these values for the api client to use?

Thank you for your help in advance.

1
laraveloauth-2.0

1 Answers

3
votes

I don't know Laravel, but in general, the authorization endpoint (in your case, http://somedomain.com/oauth/authorize) behaves as described in RFC 6749.

The specification defines four flows. If you use Authorization Code Flow among the flows, you should access the authorization endpoint with the following request parameters.

  1. response_type=code (required)
  2. client_id={your-client-id} (required)
  3. scope={space-delimited-scope-names} (optional)
  4. redirect_uri={your-redirect-uri} (conditionally optional)
  5. state={any-arbitrary-string} (optional)

For example,

http://somedomain.com/oauth/authorize?response_type=code&client_id=your-client-id&scope=profile+email

The authorization endpoint generates an authorization code and returns it to your browser.

The next step is to access the token endpoint (in your case, http://somedomain.com/oauth/access_token) with the authorization code which has been issued from the authorization endpoint. Like this,

POST
http://somedomain.com/oauth/access_token?grant_type=authorization_code&code=issued-authorization-code&client_id=your-client-id&client_secret=your-client-secret

Anyway, I recommend you read RFC 6749.