21
votes

I did an API REST with Laravel and now I'm trying to consume it. The thing is I need to authenticate users in the API and I am using the Password Grant method. I can authenticate users correctly and I can get an access token but from then, I don't see a way to retrieve the authenticated user with the access token in my consuming application.

I tried in the API with a route like this:

Route::get('/user', function(Request $request) {
    $user = $request->user();
    // Even with
    $user = Auth::user();

    return $user;
});

No dice. I am reading Passport code but I can't figure it out. My guess is that I would need to specify a new guard type or something because It doesn't seem that Laravel Passport provides one for this kind of grant type...

To clarify things:

  • I have an API REST application, which is the oAuth2 Server.
  • I have another application consuming the API REST.
  • I do know the workflow. In my case, with Password Grant, I get the user credentials in my consumer application, then I make a request to /oauth/token specifying the grant_type to password, I provide the user credentials along with my client credentials, which I am sure they were generated with "php artisan passport:client --password" (note the --password option)
  • I can get the access token with no problems. What I need now, is to get a JSON representation of the user I just authenticated from the API REST. But here is the problem: I just have an access token. Nothing I can relate with the user.

Or can I? Maybe I can extend the method that authenticates password grant requests to relate the generated access token to the user it is authenticating... *light bulb turns on*

Consuming application test code:

try {
    $client = new Client();
    $result = $client->post('https://myapi.com/oauth/token', [
        'form_params' => [
            'grant_type' => 'password',
            'client_id' => '5',
            'client_secret' => 'my_secret',
            'username' => 'user_I_am_authenticating',
            'password' => 'the_user_password',
            'scope' => '',
        ]
    ]);
    $access_token = json_decode((string) $result->getBody(), true)['access_token'];
    $result = $client->get('https://myapi.com/client/user', [
        'headers' => [
            'Content-Type' => 'application/json',
            'Accept' => 'application/json',
            'Authorization' => "Bearer $access_token",
        ]
    ]);

    return (string) $result->getBody();
} catch (GuzzleException $e) {
    return "Exception!: " . $e->getMessage();
}

Note that https://myapi.com/client/user route is just a route I made for testing in the API. That route is defined as:

Route::get('/user', function(Request $request) {
    return $request->user();
});

Now. I know this is not working. This is what I want to achieve. Know the user making the request given the access_token/bearer_token.

3
What the... I can't say "hello" or "hi there" in my post! hahaAsier Paz
Would you add the client-side code and the error you receive? Is it 404?Mina Abadir
I can add the code. But as I said, I am not having any error. I make a request to wichever route in the API I want, the thing is that in my API route I want to know in wich user behalf the client is making the request.Asier Paz
You mean, you want to know the Logged in user?Mina Abadir
Yes. The consuming application is using a grant type that is much like client_credentials. That means that the application is making requests on its own behalf. But for users, there is the authorization method, and the password grant. These make requests on the authorized user's behalf.Asier Paz

3 Answers

24
votes

You forgot the appropriate middleware.

Route::get('/user', function(Request $request) {
    return Auth::user();
})->middleware('auth:api');

The authentication flow is not fired when you don't mention the auth middleware. That's why you get null.

20
votes

I had the same problem with you. And i solved it after I manually defined the auth guard.

Route::get('/user', function (Request $request) {
  return auth()->guard('api')->user();
});
4
votes

You need to pass the Access token back with every request. Please check the documentation for this part here