Always response 401 (Unauthorized) for my Laravel Passport generated OAuth 2 token

0
votes

I am using:

  • Postman/Insomnia for REST checking
  • Laravel 5.6 with Laravel Passport
  • Vagrant (Apache 2, PHP 7.2)

Made all checklist described on Laravel Docs for Laravel Passport and after certain steps I receive HTTP 401 for my valid OAuth access token.

  1. Requested by /oauth/token/ the new access token with client_id and client_secret.
  2. Used received access token to authorize my simple Laravel REST test controller with included Oauth api middleware.
  3. The end is one: 401 unauthorized :(

So, here is some of my configurations:

Apache enter image description here

api route enter image description here

Kernel.php enter image description here

PassportServiceProvider.php enter image description here

AuthServiceProvider.phpenter image description here

2
laravelrestoauth-2.0http-status-code-401laravel-passport
Why are you sharing screen shot? You can just add the code with your answer.Shafi
@MASh sorry, I though that screenshot is more pretty visual for understanding then the code snippet.Clark
Then you are in wrong universe.Shafi

2 Answers

1
votes

I had a very similar issue too:

The difference between your codes and mine: In the routes/api.php, i used only auth:api. I didn't create PassportServiceProvider.php in the app folder. In the Kernel.php mine is client not client_credentials.

I used client_credentials as grant_type in the POST request call. In the result I always got 401.

Until I created a user using Password Grant Client:

php artisan passport:client --password

And changed client_credentials to password in the POST request call:

$http = new GuzzleHttp\Client;

$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'password',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'username' => 'taylor@laravel.com',
        'password' => 'my-password',
        'scope' => '',
    ],
]);

$access_token = json_decode((string) $response->getBody(), true)['access_token'];

Put the access token returned in the Bearer of the headers, and it works. And also you can get the current user using $request->user();

If you are using client_credentials as grant_type, it's going through the client middleware, so in the middleware auth:api needs to be removed.

1
votes

This is because Apache does not, by default, pass authorization headers to PHP. You need to edit your Apache site configuration to add a line to Deskpro's directive. Note that this configuration must be added directly to Apache's configuration (e.g., adding it to htaccess will not work

<VirtualHost>
# ...
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
# ...