I've set up the laravel passport and created clients. When clients make a post request to my application using it api, all they send is the bearer access token along with the post values.
Is there any way I can get the client id of the consuming application when they submit the post request simply from the bearer token.
Or is it entirely safe for the consuming application to send their client id along with the post fields?
If you deal with the grant type client_credentials you might consider the following solution:
Route::get('/get-client-cred', function (Request $request) {
$bearerToken = $request->bearerToken();
$tokenId = (new \Lcobucci\JWT\Parser())->parse($bearerToken)->getHeader('jti');
return \Laravel\Passport\Token::find($tokenId)->client;
})->middleware('client_credentials');
Instead, if you are dealing with a personal access token you can retrieve the client as following:
Route::middleware('auth:api')->get('/get-client', function (Request $request) {
return $request->user()->token()->client;
});
