Creating your own Oauth2 server using Laravel Passport —Implicit grant flow
Table of contents
- Initial config — Recommend you start here
- Setting up authorization code flow + with PKCE
- Creating your own Oauth2 server using Laravel Passport — client credentials flow
- Creating your own Oauth2 server using Laravel Passport — Password grant flow
- Creating your own Oauth2 server using Laravel Passport — Implicit grant flow — You are here
- Creating your own Oauth2 server using Laravel — Device Grant flow
What we will do
- We will implement implicit grant flow.
Analogy
Implicit grant shortens the authorization grant flow by returning the access token instead of authorization code. This is useful for first party single page applications, where client credentials can’t be stored securely.
For this the analogy is, suppose you (Client app) receives a customer who wants to purchase an item, you send this stranger to your friend with your name (client id). Your friend knows this customer to verify themselves (logging in). Once your friend verifies that he indeed knows this customer, he asks the customer if you have sent them to him. If the customer says they know you (authorization step), then your friend sends the user back to you with the access token which you can use to complete the transaction.
The steps are as follows.
- Send the customer to your friend together with your client id.
- Customer verifies themselves by logging in at your friends place.
- Once the user successfully logs in your friends sends the customer back with an access token.
- You use this access token to make other API requests.
Step 1: Create ‘implicit grant’ client on OAuth2-Server app
Step 1: Creating the ‘implicit grant’ client in OAuth2-Server app
To create this client run the following
php artisan passport:client --public
You should have something like this
And in your DB the following record should be inserted
Step 2: Enable implicit grant on Oauth2-Server app
We need to enable implicit grant as shown below in your AuthServiceProvider
Step 3: Add the login route and callback to client app
Route for implicit login
In the controller
Route for callback
In the controller
Finally add the login with Oauth2 implicit grant so that we can test the flow.
To check if the request was successful check your URL if it contains access token such as the one shown below.
You can then use JavaScript to get this fragment part, with the access token. You can also confirm the authenticity of the request by checking the state param returned.
What next
References
- https://github.com/Ghostscypher/OAuth2-Tutorial — Github repo for this tutorial
- Laravel Passport — Laravel — The PHP Framework For Web Artisans