Laravel Passport通过访问令牌获取客户端ID [英] Laravel Passport Get Client ID By Access Token
问题描述
我正在编写一个供两个项目使用的小型短信网关,
I'm writing a tiny sms gateway to be consumed by a couple of projects,
我实现了laravel护照认证(客户端凭据授予令牌 )
I implemented laravel passport authentication (client credentials grant token)
然后我已将CheckClientCredentials
添加到api中间件组:
Then I've added CheckClientCredentials
to api middleware group:
protected $middlewareGroups = [
'web' => [
...
],
'api' => [
'throttle:60,1',
'bindings',
\Laravel\Passport\Http\Middleware\CheckClientCredentials::class
],
];
逻辑工作正常,现在在我的控制器中,我需要使客户端与有效令牌关联.
The logic is working fine, now in my controller I need to get client associated with a valid token.
routes.php
Route::post('/sms', function(Request $request) {
// save the sms along with the client id and send it
$client_id = ''; // get the client id somehow
sendSms($request->text, $request->to, $client_id);
});
出于明显的安全原因,我永远无法将客户端ID与消费者请求一起发送,例如$client_id = $request->client_id;
.
For obvious security reasons I can never send the client id with the consumer request e.g. $client_id = $request->client_id;
.
推荐答案
所以,没有答案...
So, no answers ...
我能够通过使用自己的API来解决此问题,最后我想到了更简单的身份验证流程,客户端需要发送其ID&对于每个请求都是秘密的,然后我使用了发送的凭据使用了我自己的/oauth/token
路由,该凭据受 Esben Petersen
I was able to resolve the issue by consuming my own API, finally I came up with simpler authentication flow, the client need to send their id & secret with each request, then I consumed my own /oauth/token
route with the sent credentials, inspired by Esben Petersen blog post.
生成访问令牌后,我会将其附加到正在处理的Symfony\Request
实例的标头中.
Once the access token is generated, I append it to the headers of Symfony\Request
instance which is under processing.
我的最终输出是这样的:
My final output like this:
<?php
namespace App\Http\Middleware;
use Request;
use Closure;
class AddAccessTokenHeader
{
/**
* Octipus\ApiConsumer
* @var ApiConsumer
*/
private $apiConsumer;
function __construct() {
$this->apiConsumer = app()->make('apiconsumer');
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$response = $this->apiConsumer->post('/oauth/token', $request->input(), [
'content-type' => 'application/json'
]);
if (!$response->isSuccessful()) {
return response($response->getContent(), 401)
->header('content-type', 'application/json');
}
$response = json_decode($response->getContent(), true);
$request->headers->add([
'Authorization' => 'Bearer ' . $response['access_token'],
'X-Requested-With' => 'XMLHttpRequest'
]);
return $next($request);
}
}
我将上述中间件与Passport的CheckClientCredentials
一起使用.
I used the above middleware in conjunction with Passport's CheckClientCredentials
.
protected $middlewareGroups = [
'web' => [
...
],
'api' => [
'throttle:60,1',
'bindings',
\App\Http\Middleware\AddAccessTokenHeader::class,
\Laravel\Passport\Http\Middleware\CheckClientCredentials::class
],
];
这样,我可以确保$request->input('client_id')
是可靠的并且不能伪造.
This way, I was able to insure that $request->input('client_id')
is reliable and can't be faked.
这篇关于Laravel Passport通过访问令牌获取客户端ID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!