Creating your own Oauth2 server using Laravel Passport —Implicit grant flow

Image attribution to https://morioh.com/p/274f0d5cf0ab

Table of contents

1. Initial config — Recommend you start here
2. Setting up authorization code flow + with PKCE
3. Creating your own Oauth2 server using Laravel Passport — client credentials flow
4. Creating your own Oauth2 server using Laravel Passport — Password grant flow
5. Creating your own Oauth2 server using Laravel Passport — Implicit grant flow — You are here
6. Creating your own Oauth2 server using Laravel — Device Grant flow

What we will do

1. We will implement implicit grant flow.

Analogy

Implicit grant shortens the authorization grant flow by returning the access token instead of authorization code. This is useful for first party single page applications, where client credentials can’t be stored securely.

For this the analogy is, suppose you (Client app) receives a customer who wants to purchase an item, you send this stranger to your friend with your name (client id). Your friend knows this customer to verify themselves (logging in). Once your friend verifies that he indeed knows this customer, he asks the customer if you have sent them to him. If the customer says they know you (authorization step), then your friend sends the user back to you with the access token which you can use to complete the transaction.

The steps are as follows.

1. Send the customer to your friend together with your client id.
2. Customer verifies themselves by logging in at your friends place.
3. Once the user successfully logs in your friends sends the customer back with an access token.
4. You use this access token to make other API requests.

Step 1: Create ‘implicit grant’ client on OAuth2-Server app

Step 1: Creating the ‘implicit grant’ client in OAuth2-Server app

To create this client run the following

php artisan passport:client --public

You should have something like this

And in your DB the following record should be inserted

Step 2: Enable implicit grant on Oauth2-Server app

We need to enable implicit grant as shown below in your AuthServiceProvider

Step 3: Add the login route and callback to client app

Route for implicit login

In the controller

Route for callback

In the controller

Finally add the login with Oauth2 implicit grant so that we can test the flow.

To check if the request was successful check your URL if it contains access token such as the one shown below.

You can then use JavaScript to get this fragment part, with the access token. You can also confirm the authenticity of the request by checking the state param returned.

What next

1. Implementing device grant flow.

References

1. https://github.com/Ghostscypher/OAuth2-Tutorial — Github repo for this tutorial
2. Laravel Passport — Laravel — The PHP Framework For Web Artisans