Issue understanding Laravel 6.0 Passport with Password Grant Tokens flow

0
votes

I'm having issues understanding the whole process of authenticating a client to consume my API built on Laravel. Some things just don't click for me right now.

I'm trying to implement an API and an OAuth server both on Laravel. The API will be consumed by a native mobile app that is trusted. The flow that makes more sense to me is "Password grand token" as described in the Laravel's Passport docs: https://laravel.com/docs/7.x/passport#password-grant-tokens

As i understand the implementation:

  1. User installs my mobile app.
  2. Upon installation, he's prompted with the "enter username/password" to continue to use the app
  3. Upon hitting submit, i make a POST request to my Laravel oAuth server implementation on "/oauth/token" with "grant_type", "client_id", "username", "password", "scope". I'm leaving out the "client_secret" because i understand that it's not a good idea to store the secret on the client device.
  4. The server then checks the already created( `php artisan passport:client --password` ) "client_id", "username", "password" and "response_type"
  5. If all matches, it generates a token, and responds with "acces_token" & "refresh_token"
  6. I can make now make calls to my API's endpoints "/api/whatever/method_name"

My issue is at point 4. I can only issue the access token if the user already exists in my database, but i'm assuming it's the first time the user uses my app. postman_response

Do i also need an "authentification" step, in witch the user sends username/password and the OAuth server prompts the "authorize app" to use your data, and at this point to save the user in the database and only then proceed?

2
laraveloauthtokenlaravel-passportgrant
If you want to register a user from within youar app, just point the register form to post to a public route of your laravel api, your entire application doesn't have to use passport middleware.Robert Kujawa

2 Answers

0
votes

Usually you have an register route, that is without authorization else you have no entry into the application. Imagine your routes file.

Route::middleware('auth:api')->group(function () {
       Route::post('/todos', 'TodoController@index');
});

// Without auth
Route::post('/register', 'RegisterController@register');

For hiding credentials, it is often easier to do a proxy approach, so you backend can hold client_id and client_secret, since it will always be the same (unless you are building an oauth server).

Route::post('/login', 'LoginController@login');

Which will receive username and password, internally call oauth/token and add client_id and client_secret in the process and return the token. To save some calls through the signup, you can do the same approach after you have registered, get the oauth token, with the credentials you have at registrering and return the token imediatly.

0
votes

I would recommend the following:

  1. In log in method, check if user exists.
  2. If exists, do log him in.
  3. else, first register him up, and then log him in
  4. lastly, return access token