如何将 Laravel Passport 与密码授予令牌一起使用?

How to use Laravel Passport with Password Grant Tokens?(如何将 Laravel Passport 与密码授予令牌一起使用?)

问题描述

我刚刚阅读了 https://laravel.com/docs/5.6/passport 文档我有一些疑问，希望有人可以帮助我:

首先，在某些情况下，我想使用 Passport 作为为我的移动应用(第一方应用)提供 Oauth 身份验证的一种方式.

1. 当我使用 php artisanpassport:client --password 时，我会得到一个客户端 ID 和一个客户端密码.这个值是否必须固定在我的应用程序上?例如将它们存储为硬编码或作为设置"文件?如果不应该存储这些值，那么它应该如何工作?

2. 为了向我的应用程序注册用户，我使用:$user->createToken('The-App')->accessToken; 我知道 accessToken 将是一个用于将我的所有请求作为标头发送(授权 => Bearer $accessToken)，但The-App"值究竟是什么?

3. 我使用以下 URL 登录用户:http://example.com/oauth/令牌并作为参数发送:

   {"用户名": "user@email.com","密码": "用户密码","grant_type": "密码","client_id": 1,//我从命令中得到的客户端 ID(问题 1)"client_secret": "Shhh"//我从命令中得到的 Client Secret(问题 1)}

4. 当我使用前一个端点登录用户时，我得到一个 refresh_token，我读到我可以通过 http://example.com/oauth/token/refresh 但我尝试请求刷新我收到错误 419，我从 csrf 验证中删除了 url oauth/token/refresh，现在我取回 "message": "Unauthenticated."，我正在提出以下请求:

   内容类型:x-www-form-urlencodedgrant_type: refresh_tokenrefresh_token: the-refresh-token//我从命令中得到的刷新令牌(问题 3)client_id: 1//我从命令中得到的客户端 ID(问题 1)client_secret: Shhh//我从命令中得到的 Client Secret(问题 1)范围:''

我应该使用这个端点吗?或者考虑到我正在尝试开发的应用程序没有必要.

5. 最后，我从护照中获得了很多我认为不会使用的端点，例如:oauth/clients*、oauth/personal-access-tokens* 有没有办法从passport发布的端点中删除它们?

非常感谢您的帮助！

如果你使用自己的 api 那么你就不需要调用 http://example.com/oauth/token用于用户登录，因为那时您需要在应用程序端存储 client_id 和 client_secret.最好创建一个用于登录的 api，然后您可以在那里检查凭据并生成个人令牌.

公共函数登录(Request $request){$credentials = $request->only('email', 'password');如果 (Auth::attempt($credentials)) {//认证通过...$user = Auth::user();$token = $user->createToken('Token Name')->accessToken;返回响应()-> json($token);}}

<块引用>

最后，我从护照中获得了很多端点不认为我会使用例如:oauth/clients*，oauth/personal-access-tokens* 有没有办法将它们从护照发布的端点?

您需要从 AuthServiceProvider 中删除 Passport::routes(); 并手动仅放置所需的护照路线.我认为你只需要 oauth/token 路由.

The-App"的价值究竟是什么?

如果您检查 oauth_access_tokens 表，它有名称字段.$user->createToken('Token Name')->accessToken; 这里是存储在 name 字段中的 Token Name".

如何将 Laravel Passport 与密码授予令牌一起使用?

要生成密码授予令牌，您必须在应用端存储 client_id 和 client_secret(不推荐，请查看 this ) 并假设如果您必须重置 client_secret 然后旧版本的应用程序停止工作，这些是问题.要生成密码授予令牌，您必须像步骤 3 中提到的那样调用此 API.

$http = new GuzzleHttpClient;$response = $http->post('http://your-app.com/oauth/token', ['form_params' =>['grant_type' =>'密码'，'client_id' =>'客户ID'，'client_secret' =>'客户机密','用户名' =>'taylor@laravel.com','密码' =>'我的密码'，'范围' =>'',],]);返回 json_decode((string) $response->getBody(), true);

<块引用>

从refresh_token

$http = new GuzzleHttpClient;$response = $http->post('http://your-app.com/oauth/token', ['form_params' =>['grant_type' =>'refresh_token','refresh_token' =>'刷新令牌'，'client_id' =>'客户ID'，'client_secret' =>'客户机密','范围' =>'',],]);返回 json_decode((string) $response->getBody(), true);

你可以看看这个https://laravel.com/docs/5.6/passport#implicit-grant-tokens 也是.

I just read the https://laravel.com/docs/5.6/passport documentation and I have some doubts that hopefully someone could help me with:

First, some context, I want to use Passport as a way to provide Oauth authentication for my mobile app (first-party app).

1. When I use php artisan passport:client --password I get back a Client ID and a Client Secret. Does this value have to be fixed on my app? for example storing them hardcoded or as a "settings" file? If the values shouldn't be stored then how should it work?

2. To register a user to my app I use: $user->createToken('The-App')->accessToken; I get that the accessToken will be the one used for sending on all my requests as a Header (Authorization => Bearer $accessToken) but what exactly is "The-App" value for?

3. For login the user I'm using the URL: http://example.com/oauth/token and sending as parameters:

   { "username": "user@email.com", "password": "userpassword", "grant_type": "password", "client_id": 1, // The Client ID that I got from the command (question 1) "client_secret": "Shhh" // The Client Secret that I got from the command (question 1) }

4. When I login the user using the previous endpoint I get back a refresh_token, I read that I could refresh the token through http://example.com/oauth/token/refresh but I try to request the refresh I got Error 419, I removed the url oauth/token/refresh from the csrf verification and now I get back "message": "Unauthenticated.", I'm making the following request:

   Content-Type: x-www-form-urlencoded grant_type: refresh_token refresh_token: the-refresh-token // The Refresh Token that I got from the command (question 3) client_id: 1 // The Client ID that I got from the command (question 1) client_secret: Shhh // The Client Secret that I got from the command (question 1) scope: ''

Should I use this endpoint? or is not necessary given the app I'm trying to develop.

5. Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example: oauth/clients*, oauth/personal-access-tokens* is there a way to remove them from the endpoints published by passport?

Thanks a lot for your help!

If you are consuming your own api then you don't need to call http://example.com/oauth/token for user login because then you need to store client_id and client_secret at app side. Better you create an api for login and there you can check the credentials and generate the personal token.

public function login(Request $request)
{
        $credentials = $request->only('email', 'password');

        if (Auth::attempt($credentials)) {
            // Authentication passed...
             $user = Auth::user();
             $token = $user->createToken('Token Name')->accessToken;

            return response()->json($token);
        }
}

Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example: oauth/clients*, oauth/personal-access-tokens* is there a way to remove them from the endpoints published by passport?

You need to remove Passport::routes(); from AuthServiceProvider and manually put only required passport routes. I think you only need oauth/token route.

what exactly is "The-App" value for?

if you check oauth_access_tokens table it has name field. $user->createToken('Token Name')->accessToken; here the "Token Name" stored in name field.

How to use Laravel Passport with Password Grant Tokens?

To generate password grant token you have to store client_id and client_secret at app side (not recommended, check this ) and suppose if you have to reset the client_secret then the old version app stop working, these are the problems. To generate password grant token you have to call this api like you mention in step 3.

$http = new GuzzleHttpClient;

$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'password',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'username' => 'taylor@laravel.com',
        'password' => 'my-password',
        'scope' => '',
    ],
]);

return json_decode((string) $response->getBody(), true);

Generate token from refresh_token

$http = new GuzzleHttpClient;

$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'refresh_token',
        'refresh_token' => 'the-refresh-token',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'scope' => '',
    ],
]);

return json_decode((string) $response->getBody(), true);

You can look this https://laravel.com/docs/5.6/passport#implicit-grant-tokens too.

这篇关于如何将 Laravel Passport 与密码授予令牌一起使用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持编程学习网！