Laravel passport – how can I check the validity of refresh token (while not revoking it)?

Question

Using Laravel Passport, how can I check if a refresh token is still valid?

I'm not asking about the access token: that one I can verify by requesting any rout implementing the Route::middleware(auth:api)->get('any-protected-route', function () { return true });

I know how to use it to request a new access and refresh tokens (querying oauth/tokens), but it will revoke the current one.

Use case: I have a refresh token stored as HttpOnly ✓ cookie, and I'd like to use it to validate requests for static resources (native <img src="…"> or background-image: url(…), because it is being sent by browser with every request. But I don't know how to validate it (non-destructively) in the Controller.

(I am aware of the access tokens as a query string solution, but I'd rather avoid it due to possible security issues).

Thank you.

score 1 · Answer 1 · answered Jun 02 '22 at 11:13

You don't need to check the validity of a Refresh Token, the purpose of these tokens is not to demonstrate that the user has a session, the only purpose of these tokens is to generate a new Access Token that can be used against your API and will validate if the user has a valid session.

If the refresh token is invalid, it won't generate a new access token.

Laravel passport – how can I check the validity of refresh token (while not revoking it)?

1 Answers1