Creating your own Oauth2 server using Laravel Passport

Image attribution to https://morioh.com/p/274f0d5cf0ab

If you’ve ever needed to implement your own Oauth2 server then this is the place for you.

Table of contents

  1. Initial config — You are here
  2. Setting up authorization code flow + with PKCE
  3. Creating your own Oauth2 server using Laravel Passport — client credentials flow
  4. Creating your own Oauth2 server using Laravel Passport — Password grant flow
  5. Creating your own Oauth2 server using Laravel Passport — Implicit grant flow
  6. Creating your own Oauth2 server using Laravel — Device Grant flow

What we will cover

  1. Setting up an OAuth2 server
  2. Using the OAuth2 server for authorization

Requirements

We will be using the following packages along the way

  1. Laravel passport — Required
  2. Laravel socialite — optional
  3. Laravel Valet — optional — For windows users you can use this package instead: cretueusebiu/valet-windows

What will each of the packages be used for?

Laravel passport — will be used to create the OAuth2 server

Laravel socialite — will be used to create our own custom OAuth2 provider that will be used to utilize Laravel passport.

Laravel Valet — Will be used to create local domains i.e. .dev and .test domains.

NB: Both valet and socialite are optional as I will show you how to interact with our OAuth2 server without both of the packages. Though using the packages saves us on a lot of code and time.

What is OAuth2

OAuth2.0 stands for ‘Open Authorization version 2.0’, it is a standard created to enable applications to access resources hosted in another web app on behalf of the user, without sharing the user credentials.

If you have ever used sign in with Google, or GitHub, or Facebook in short social logins, then you’ve probably interacted with OAuth2.

In this tutorial we are going to be creating exactly that and much more. We are going to create an application that will act as the identity provider and allow one to sign in with our application from another application.

This article explains more about OAuth2 and I highly recommend you read it first to get an idea of what we are going to implement. I’ll explain the authorization flows available in Oauth2 when we implement each one of them rather that explain everything and implement. I think that’s a neat approach.

This article is another that I find helpful which explains the authorizations flows, together with their parameters and expected response types.

As a summary though the following are the authorization flows found in OAuth2.

  1. Password grant flow.
  2. Client credentials flow.
  3. Authorization code flow.
  4. Authorization code flow with PKCE(Proof Key for Code Exchange) flow.
  5. Implicit grant flow.
  6. Device authorization flow.

Initial setup

Now that we’ve seen all the possibilities it’s time to actually implement the the server. For the initial configuration I will create two Laravel applications one acting like the client and the other acting like server. The client application will use the server application to perform authorization and allow the user to ‘Sign In with our server application’. We will therefore name the apps as ‘Oauth2-Server’ and ‘Client’ to represent this.

Step 1: create two new Laravel applications

If you are using Laravel installer you can use the following commands

laravel new OAuth2-Server
laravel new Client

The above commands will create two new Laravel applications namely OAuth2-Server and Client respectively

Step 2: Installing laravel/passport on OAuth2-Server app and linking using valet

Navigate into OAuth2-Server folder and install Laravel passport using composer require laravel/passport

If you have valet install we can link to this application by navigating to the public directory and typing valet link oauth2-server, this will create a local domain called http://oauth2-server.test or http://oauth2-server.dev depending on your valet configurations.

Step 3: Configuring passport on Oauth2-Server app

First confirm you have set up the database using

php artisan migrate

To install passport configs we will run the following commands

php artisan passport:install --uuids

I’m choosing to use uuids because it’s a good security approach rather than using the normal integer ids, this makes it hard for someone to guess the client id.

You should have something like this once you run the commands above

After running passport:install

Both of the above are our OAuth2 clients which are used in different OAuth2 authorization flow. Their names provide a hint of when they will be used, if you don’t have a clue don’t worry we will get to them later. As a hint they are used when issuing the normal API tokens when you use Laravel Passport as the API guard.

Step 4: Setting up our app to use passport

After creating the above we need to set up our Laravel application to use passport when issuing API tokens. We need to set the user model to use passport as follows

For those using Laravel 8, sanctum has been set as the default API guard, we CANNOT use both packages concurrently, you will need to comment out the sanctum HasApiTokens trait.

Step 5: Adding passport as api guard

In your config/auth.php file add the following.

Step 6: Setting up passport routes

We need to register the routes for passport as shown below, add the following in your app\Providers\authServiceProvider.php file.

NB: remember to import passport by declaring

use Laravel\Passport\Passport;

Step 7: publish passport assets

To publish passport assets we will use the following command.

php artisan vendor:publish — provider=Laravel\Passport\PassportServiceProvider

This will publish passport:

  1. Migrations
  2. Config
  3. Views

Step 8: Installing laravel/socialite on Client app and linking using valet

Navigate to Client folder and install Laravel socialite using composer require laravel/socialite

If you have valet install we can link to this application by navigating to the public directory and typing valet link client, this will create a local domain called http://client.test or http://client.dev depending on your valet configurations.

NB: If you don’t have valet don’t worry you can still run your applications the normal way using php artisan serve

Conclusion

We are done with our basic set up, in the next article we will more closely at implementing all the authorization flows above.

What next

  1. Implementing authorization code flow + with PKCE.

References

  1. https://github.com/Ghostscypher/OAuth2-Tutorial — Github repo for this tutorial
  2. https://medium.com/google-cloud/understanding-oauth2-and-building-a-basic-authorization-server-of-your-own-a-beginners-guide-cf7451a16f66

--

--

--

Freelance developer interested in natural simulations, visualization systems, and anything nerdy.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Redis — Introduction

Google Cloud Platform (GCP) in Life Sciences: Qualifying the Cloud (IaaS/PaaS)

EKS Anywhere., & kube-vip load balancer services

Python List Comprehensions in 5-minutes

Replicating Microsoft News with Xamarin Part 2 (Using Shell)

Ansible-Ad-hoc | Modules | Host patterns

Laravel API — Repository Pattern (Make Your Code More Structured)- The Simple Guide

Software Testing & Confidence

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
G

G

Freelance developer interested in natural simulations, visualization systems, and anything nerdy.

More from Medium

Integrate PHP application with Firebase

Creating your own Oauth2 server using Laravel— Device Grant flow

Laravel 9 Auth Login and Registration

Laravel collection sort by