如何将 Laravel Passport 与密码授予令牌一起使用? [英] How to use Laravel Passport with Password Grant Tokens?

查看:28
本文介绍了如何将 Laravel Passport 与密码授予令牌一起使用?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我刚刚阅读了 https://laravel.com/docs/5.6/passport 文档我有一些疑问,希望有人可以帮助我:

首先,在某些情况下,我想使用 Passport 作为为我的移动应用(第一方应用)提供 Oauth 身份验证的一种方式.

  1. 当我使用 php artisanpassport:client --password 时,我会得到一个客户端 ID 和一个客户端密码.这个值是否必须固定在我的应用程序上?例如将它们存储为硬编码或作为设置"文件?如果不应该存储这些值,那么它应该如何工作?

  2. 为了向我的应用程序注册用户,我使用:$user->createToken('The-App')->accessToken; 我知道 accessToken 将是一个用于将我的所有请求作为标头发送(授权 => Bearer $accessToken),但The-App"值究竟是什么?

  3. 我使用以下 URL 登录用户:http://example.com/oauth/令牌并作为参数发送:

    {"用户名": "user@email.com","密码": "用户密码","grant_type": "密码","client_id": 1,//我从命令中得到的客户端 ID(问题 1)"client_secret": "Shhh"//我从命令中得到的 Client Secret(问题 1)}

  4. 当我使用前一个端点登录用户时,我得到一个 refresh_token,我读到我可以通过 http://example.com/oauth/token/refresh 但我尝试请求刷新我收到错误 419,我从 csrf 验证中删除了 url oauth/token/refresh,现在我取回 "message": "Unauthenticated.",我正在提出以下请求:

    内容类型:x-www-form-urlencodedgrant_type: refresh_tokenrefresh_token: the-refresh-token//我从命令中得到的刷新令牌(问题 3)client_id: 1//我从命令中得到的客户端 ID(问题 1)client_secret: Shhh//我从命令中得到的 Client Secret(问题 1)范围:''

我应该使用这个端点吗?或者考虑到我正在尝试开发的应用程序没有必要.

  1. 最后,我从护照中获得了很多我认为不会使用的端点,例如:oauth/clients*oauth/personal-access-tokens* 有没有办法从passport发布的端点中删除它们?

非常感谢您的帮助!

解决方案

如果你使用自己的 api 那么你就不需要调用 http://example.com/oauth/token用于用户登录,因为那时您需要在应用程序端存储 client_id 和 client_secret.最好创建一个用于登录的 api,然后您可以在那里检查凭据并生成个人令牌.

公共函数登录(Request $request){$credentials = $request->only('email', 'password');如果 (Auth::attempt($credentials)) {//认证通过...$user = Auth::user();$token = $user->createToken('Token Name')->accessToken;返回响应()-> json($token);}}

<块引用>

最后,我从护照中获得了很多端点不认为我会使用例如:oauth/clients*,oauth/personal-access-tokens* 有没有办法将它们从护照发布的端点?

您需要从 AuthServiceProvider 中删除 Passport::routes(); 并手动仅放置所需的护照路线.我认为你只需要 oauth/token 路由.

<块引用>

The-App"的价值究竟是什么?

如果您检查 oauth_access_tokens 表,它有名称字段.$user->createToken('Token Name')->accessToken; 这里是存储在 name 字段中的 Token Name".

<块引用>

如何将 Laravel Passport 与密码授予令牌一起使用?

要生成密码授予令牌,您必须在应用端存储 client_idclient_secret(不推荐,请查看 this ) 并假设如果您必须重置 client_secret 然后旧版本的应用程序停止工作,这些是问题.要生成密码授予令牌,您必须像步骤 3 中提到的那样调用此 API.

$http = new GuzzleHttpClient;$response = $http->post('http://your-app.com/oauth/token', ['form_params' =>['grant_type' =>'密码','client_id' =>'客户ID','client_secret' =>'客户机密','用户名' =>'taylor@laravel.com','密码' =>'我的密码','范围' =>'',],]);返回 json_decode((string) $response->getBody(), true);

<块引用>

refresh_token

生成令牌

$http = new GuzzleHttpClient;$response = $http->post('http://your-app.com/oauth/token', ['form_params' =>['grant_type' =>'refresh_token','refresh_token' =>'刷新令牌','client_id' =>'客户ID','client_secret' =>'客户机密','范围' =>'',],]);返回 json_decode((string) $response->getBody(), true);

你可以看看这个https://laravel.com/docs/5.6/passport#implicit-grant-tokens 也是.

I just read the https://laravel.com/docs/5.6/passport documentation and I have some doubts that hopefully someone could help me with:

First, some context, I want to use Passport as a way to provide Oauth authentication for my mobile app (first-party app).

  1. When I use php artisan passport:client --password I get back a Client ID and a Client Secret. Does this value have to be fixed on my app? for example storing them hardcoded or as a "settings" file? If the values shouldn't be stored then how should it work?

  2. To register a user to my app I use: $user->createToken('The-App')->accessToken; I get that the accessToken will be the one used for sending on all my requests as a Header (Authorization => Bearer $accessToken) but what exactly is "The-App" value for?

  3. For login the user I'm using the URL: http://example.com/oauth/token and sending as parameters:

    { "username": "user@email.com", "password": "userpassword", "grant_type": "password", "client_id": 1, // The Client ID that I got from the command (question 1) "client_secret": "Shhh" // The Client Secret that I got from the command (question 1) }

  4. When I login the user using the previous endpoint I get back a refresh_token, I read that I could refresh the token through http://example.com/oauth/token/refresh but I try to request the refresh I got Error 419, I removed the url oauth/token/refresh from the csrf verification and now I get back "message": "Unauthenticated.", I'm making the following request:

    Content-Type: x-www-form-urlencoded grant_type: refresh_token refresh_token: the-refresh-token // The Refresh Token that I got from the command (question 3) client_id: 1 // The Client ID that I got from the command (question 1) client_secret: Shhh // The Client Secret that I got from the command (question 1) scope: ''

Should I use this endpoint? or is not necessary given the app I'm trying to develop.

  1. Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example: oauth/clients*, oauth/personal-access-tokens* is there a way to remove them from the endpoints published by passport?

Thanks a lot for your help!

解决方案

If you are consuming your own api then you don't need to call http://example.com/oauth/token for user login because then you need to store client_id and client_secret at app side. Better you create an api for login and there you can check the credentials and generate the personal token.

public function login(Request $request)
{
        $credentials = $request->only('email', 'password');

        if (Auth::attempt($credentials)) {
            // Authentication passed...
             $user = Auth::user();
             $token = $user->createToken('Token Name')->accessToken;

            return response()->json($token);
        }
}

Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example: oauth/clients*, oauth/personal-access-tokens* is there a way to remove them from the endpoints published by passport?

You need to remove Passport::routes(); from AuthServiceProvider and manually put only required passport routes. I think you only need oauth/token route.

what exactly is "The-App" value for?

if you check oauth_access_tokens table it has name field. $user->createToken('Token Name')->accessToken; here the "Token Name" stored in name field.

How to use Laravel Passport with Password Grant Tokens?

To generate password grant token you have to store client_id and client_secret at app side (not recommended, check this ) and suppose if you have to reset the client_secret then the old version app stop working, these are the problems. To generate password grant token you have to call this api like you mention in step 3.

$http = new GuzzleHttpClient;

$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'password',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'username' => 'taylor@laravel.com',
        'password' => 'my-password',
        'scope' => '',
    ],
]);

return json_decode((string) $response->getBody(), true);

Generate token from refresh_token

$http = new GuzzleHttpClient;

$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'refresh_token',
        'refresh_token' => 'the-refresh-token',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'scope' => '',
    ],
]);

return json_decode((string) $response->getBody(), true);

You can look this https://laravel.com/docs/5.6/passport#implicit-grant-tokens too.

这篇关于如何将 Laravel Passport 与密码授予令牌一起使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆