Laravel 5.5 - Laravel Passport Correct Grant Type To Use?

1
votes

I have an application where users can register normally via the site and post job vacancies.

I want registered users to be able to post vacancies using my api via a third party multi job posting application i.e. users register on the third party site, they are presented with a form which posts to an api endpoint on my site.

Now my question is how do I implement this using Laravel Passport.

Is the following correct:

  1. I create a passport client for the third party application?

  2. Provide the third party application with their client id and client secret.

  3. When the user submits the form on the third party website they would include their username (email) and password along with the rest of the form data.

  4. The third party application makes a request to (http://my-app.com/oauth/token) using the password grant method to request an access token using their client id, client secret, users email and password.

  5. If a valid access token is returned then using that token and the form data a second request is made to (http://my-app.com/api/jobs/add) endpoint.

Can someone advise if this is correct grant type to use or is it insecure for registered users to be supplying a third party application login credentials in order to obtain a access token?

What is the correct grant type to use for the above use case?

If I was to use the authorization_grant method, who would be responsible for creating the client - the admin of my-app.com or the registered user of my-app.com?

If its the registered user of my-app.com then does that mean every registered user would have to create a client on my-app.com for the same third party app which wouldnt make sense as the third party app would then end up with multiple client ids so how would they implement the callback url?

This is very confusing.

1
laravelapiauthenticationoauth-2.0laravel-passport

1 Answers

1
votes

You are more or less on track except point #3.

Giving access to your users credentials to a 3rd party system isn't a good idea, and may even not be legally acceptable. Instead provide a url, which can be opened in a popup for the authentication, and return the auth token to the window.opener

You can provide a function for the parent window (window.opener), which accepts a callback to be called on login success/error:

var popup = window.open("/someUrl");
popup.onload = function(){
   popup.onLogin(onLoginSuccessCallback, onLoginErrorCallback);
};

or the parent window can have a function which you can call from within the popup:

window.opener.loginCallback(token);