0

I have two codebases
1) Vue powered front-end application: example.com
2) Laravel Api: api.example.com

I'd like to implement basic register/login flow with Laravel Passport, but in a way that the token is "refreshed" on every API request. Otherwise, UX is very poor since the user can be logged out even if s/he uses the app actively.

I've read a bunch of articles and finally in here https://alexbilbie.com/guide-to-oauth-2-grants/ - I'm convinced that I need to use Implicit grant tokens.

But in my understanding, this code:

$query = http_build_query([
        'client_id' => 'client-id',
        'redirect_uri' => 'http://example.com/callback',
        'response_type' => 'token',
        'scope' => '',
    ]);

    return redirect('http://your-app.com/oauth/authorize?'.$query);

redirect the user to the server-side login page, but I'll handle the login/register on the client-side and simply provide the credentials to the server.

So, how my server-side controller should look like, if I'm going to provide the necessary credentials (email/password) from client-side and ideally return the access_token?

Simply put: I want the authentication system to work very similarly than the basic web-based authentication on Laravel, but using tokens.

Btw, the reason why I use a passport in the first place is that the project will support a bunch of different authentication flows, e.g, SMS, etc.

Cecily Miller
  • 370
  • 2
  • 22
  • Actually, reading a bit more about the subject, I may want to use ***password grant*** tokens in my use case. BUT how I suppose to refresh it in every API call? – Cecily Miller Jul 25 '19 at 09:40
  • I suggest you to read the [grant_types](https://oauth.net/2/grant-types/) and [try yourself the implicit grant_type](https://www.oauth.com/playground/implicit.html) also read the [security concern](https://stackoverflow.com/questions/13387698/why-is-there-an-authorization-code-flow-in-oauth2-when-implicit-flow-works-s) about the Implicit Grant – Max Jul 25 '19 at 10:21
  • @Max Thanks for your response, the security concern was very interesting. I'm trying to understand the process of refreshing the token, because if I have understood right if token expires in let's say 1 week, and even if the user uses the app actively, the token will expire anyway and the user is logged out. That doesn't make any sense to me. I'm sure I missing something obvious. – Cecily Miller Jul 25 '19 at 10:44
  • A naive way to "solve" this is to make the token to live a ridiculously long, but that creates another issue like when and based on what we clean up the DB from unused tokens. This whole concept gives me a headache lol – Cecily Miller Jul 25 '19 at 10:49
  • 1
    The user is logged out if refresh_token and access_token are both expired. If expire the access_token with refresh_token you can get another token AND a _fresh_ refresh_token. See this [stackoverflow post](https://stackoverflow.com/questions/40555855/does-the-refresh-token-expire-and-if-so-when) – Max Jul 25 '19 at 11:38
  • @Max Thank you so much! The post you linked did answer all my questions. Finally, the flow makes sense. Have a great day! – Cecily Miller Jul 25 '19 at 11:46

0 Answers0