How to organize such route protection using Laravel Passport?

1
votes

In my laravel project I use Laravel Passport Password and Client Credentials Grant Tokens.

Client Credentials Grant Tokens

The client credentials grant is suitable for machine-to-machine authentication. For example, you might use this grant in a scheduled job which is performing maintenance tasks over an API.

This grant type has middleware for verify client credentials.

Middleware path

Laravel\Passport\Http\Middleware\CheckClientCredentials

By registering this middleware in app/Http/Kernel.php we can protect our routes

use Laravel\Passport\Http\Middleware\CheckClientCredentials;

protected $routeMiddleware = [
    'client' => CheckClientCredentials::class,
];

Example route protecting

Route::get('/orders', function (Request $request) {
    ...
})->middleware('client');

We can get any grant type access tokens by requesting to: http://your-app.com/oauth/token

Example

$guzzle = new GuzzleHttp\Client;

$response = $guzzle->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'client_credentials',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'scope' => 'your-scope',
    ],
]);

return json_decode((string) $response->getBody(), true)['access_token'];

Password Grant Tokens

The OAuth2 password grant allows your other first-party clients, such as a mobile application, to obtain an access token using an e-mail address / username and password. This allows you to issue access tokens securely to your first-party clients without requiring your users to go through the entire OAuth2 authorization code redirect flow.

Whith Password Grant Client we can authorize our users and protect auhorized routes using auth:api middleware. For eccess authorized routes we must set token to request header to access_token field.

Example route protecting

Route::get('/orders', function (Request $request) {
    ...
})->middleware('auth:api');

Now when both grant types (Password Grant Tokens && Client Credentials Grant Tokens) need to access token from header field access_token how I can protect my routes?

Something like this

Route::get('/orders', function (Request $request) {
    ...
})->middleware(['client', 'auth:api']);

How to organize such protection using Laravel Passport when both middleware waiting token from one field access_token of header?

1
phplaravellaravel-passport
It's not 100% clear what you're asking. Please could you provide a little more detail.Rwd
Ok @Rwd Now I'll edit my questionAndreas Hunter
@Rwd I've edit my question by adding more detailsAndreas Hunter
@Andread Hunter i think what you are looking for is (filljoyner.com/2017/03/01/…) where the author breaks up routes for client credentials grant (client middleware) and password grant (auth:api middleware). I have currently the same issue on how i can share the same resource for both middleware at the same time.xyfantis
And that post helped to your? @xyfantisAndreas Hunter

1 Answers

0
votes

like this maybe ??

Route::middleware(['client', 'auth:api'])->group(function(){
            Route::get(....);
        });