Laravel Passport Password Grant - Client authentication failed

Question

After hearing a lot about laravel passport, i thought of implementing it into my new project where my requirement is to create an API that'll be used in a mobile app.

So my mobile app is a client, which will further have its users.

I followed the steps mentioned by Taylor and also read about it here. In a nutshell I followed these steps:

1. Installed laravel/passport.
2. Created a website user.
3. Generated passport keys php artisan passport:install
4. Generated client_id and client_secret using php artisan passport:client
5. Added redirection and callback routes in web.php
6. Authorized the user and got the final access token.

Then I tried calling api/user( with Header Authorization containing value Bearer eyJ0eXAiOiJKV1...(token)

I received the data. Pretty simple and neat.

But my app users won't have these details. So I thought of configuring Password Grant Tokens which fits perfectly in my requirement.

Now starts the real headache. I've been trying to set this up for the last 3 days and continuously getting

{"error":"invalid_client","message":"Client authentication failed"}

I've tried almost every guide I followed online: Redirection Issues, Add Atleast One Scope Solution, P100Y Issue etc.

But I'm still getting invalid client error. Here's what I'm passing through POSTMAN to oauth/token:

{
    "grant_type": "password",
    "client_id": "3",
    "client_secret": "8BUPCSyYEdsgtZFnD6bFG6eg7MKuuKJHLsdW0k6g",
    "username": "test@gmail.com",
    "password": "123456",
    "scope": ""
}

Any help would be appreciated.

Answer 1

I think the most clear understanding of this issue is that:

You are passing something different than what is registered for your OAuth Client.

It can be the key or something else from the table oauth_clients. So, check every parameter you are passing.

In my case the "redirect" param value differed from what I had saved on the database.

Answer 2

Unfortunately enough, my issue has to do with the XAMPP virtual host.

I have the following setup;

1. Auth server: users.test (Passport is installed here)
2. Client: example.test (Authenticate users via the users.test)

The websites load fine but the client can't generate a token after receiving the authorization code.

Solution: Instead of using the virtual host names (users.test and example.test), I serve both apps using php artisan serve --port 81 and php artisan serve --port 82 respectively.

Surprisingly enough, everything suddenly starts working fine!

Answer 3

in your boot method of AppServiceProvider add this line:

use Laravel\Passport\Passport;

...


/**
 * Bootstrap any application services.
*/
public function boot(): void
{
    Passport::enablePasswordGrant();
}

Answer 4

This might be a long shot, but after creating your client keys, make sure to check the oauths_client table and verify that the values for PASSPORT_PERSONAL_ACCESS_CLIENT_ID and PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET in the .env file match the user_id and the secret in the database table. Do not use the id.

Answer 5

In laravel 9.x, the error : Client authentication failed will also be thrown if you have Passport::hashClientSecrets() in your AuthServiceProvider boot method. Am not sure why, but removing it just saved me time.

Answer 6

I was having this same issue, I tried all the above solutions, no success.

So i just reloaded the tables, recreated the user, the passport client and solved. My solution was reset everything:

php artisan migrate:fresh (will clean your database.)

php artisan passport:client --password

Answer 7

I fixed it by making sure that in the oauth_clients table my client has column password_client set to 1:

Source: https://github.com/laravel/passport/issues/589#issuecomment-357515110

There may be quite scenarios for the above issue.I will explain it one by one. You always need to pass application/json header .

1. Make sure the client id and secret is in the oauth_clients and you passed those parameter correctly.In order to generate those client id and secret use php artisan passport:install.
2. Make sure to use password grant client . To identify that goto oauth_clients table and check if password_client is set to 1 and personal_access_client is set to 0 and revoked to 0 . I hope this will solve the issue . Thank you

Answer 8

Try commenting out this line Passport::hashClientSecrets(); in the AppServiceProvider file. You cant use hashed client secrets.

Answer 9

Make sure you are not trying to obtain a token with a hashed client_secret... If you are hashing the client secrets with Passport::hashClientSecrets(); within AppServiceProvider, the tokens generated will only be shown in the terminal output once. Loose this token and it is lost forever.

I was in a rush when I set my passport up and forgot that I was hashing the generated client secrets...

My request body should have contained a non-encrypted client secret, but instead I copied and pasted an encrypted secret from the database.

To fix this, either save your client secrets right away, or remove Passport::hashClientSecrets(); and create a new client.

Answer 10

Hopefully this will save someone the hour I spent debugging this problem:

I went down the rabbit hole to find out why authentication wasn't working. Turned out I was hashing my password in my UsersTableSeeder twice by accident, which is why the hash check failed.

Might be worth checking if the other answers listed don't work for you.

Answer 11

In my case, the solution was to wrap it inside Form-data, don't miss it out if you use normal parameters with the postman, it won't work, make sure to use a body request set to FORM-DATA.

Answer 12

I had the same problem. When you execute php artisan passport:install it issues you with two types of secrets, one for CLIENT grant type, and other for PASSWORD grant type.

I was using the CLIENT secret to issue PASSWORD tokens. Once I changed that up, I was able to generate the access_token and refresh_token normally.

Answer 13

if you tried everything and still it's not working means try this solution!! just give scope *.

$query = http_build_query([
    'client_id' => 1,
    'redirect_uri' => 'http://localhost:3000/callback',
    'response_type' => 'code',
    'scope' => '*'
]);

in my case this is the solution. I have checked

Answer 14

I was also facing the same issue , i got the solution from this link. Please check that. https://github.com/laravel/passport/issues/71

It says that : You make a call to /oauth/token just like you always would to get your token. But do so with a grant_type of custom_request. You'll need to add a byPassportCustomRequest($request) method to your User model (or whatever model you have configured to work with Passport). That method will accept a Illuminate\Http\Request and return the user model if you are able to authenticate the user via the request, or it will return null.

Answer 15

Try creating a new password client using php artisan passport:client --password then most probably an user wont be assigned to that password client. edit the database row and add an exsting user id to it.

{
    "grant_type": "password,"
    "client_id": "" <- edited and added user id
    "client_secret": "8BU......," <- new secret
    "username": "test@gmail.com," <- email of above added user id
    "password": "123456,"<- password 
    "scope": ""
}

Hope you will be able to get token now

Answer 16

Check thoroughly the Grant Type.

{
    "grant_type": "password",
    "client_id": 2,
    "client_secret": 
    "username": ,
    "password": 
    "scope": ""
}

In the above example, it says password. Now check the table: oauth_clients and make sure that the value of column password_client = 1

or look for the entry with the password_client = 1

Answer 17

you can define a two variables like

$client_id = '111';
$client_secret = '1212';

and the condition is in your function like this

protected $clientID = '578324956347895';
protected $clinetSecret ='hflieryt478';

public function index(Request $request)
{

    if (!($request->input('clientID') && $request->input('clinetSecret'))) {
        return false;
    }

    $project = User::all();

   return $project
}

Answer 18

use the below code to generate an access token, it has worked for me before:

$request->request->add([
      'client_id' => '2',
      'client_secret' => 'm3KtgNAKxq6Cm1WC6cDAXwR0nj3uPMxoRn3Ifr8L',
      'grant_type' => 'password',
      'username' => 'support@eliteride.co.uk',
      'password' => 'pass22'
    ]);
    $tokenRequest = $request->create('/oauth/token', 'POST', $request->all());

    $token =  \Route::dispatch($tokenRequest);

Answer 19

Have yo try running php artisan config:cache after all the passport commands.

Answer 20

{"error":"invalid_client","message":"Client authentication failed"}

means that the client_id and client_secret you're currently sending is one of the following:

1. client_id and client_secret being sent is not registered in your oauth server
2. client_id and client_secret being sent is not of the grant type that you specify in the post body

For me, the password_client column value for that particular client was 0. i manually changed it to 1 but it didn't help. – Kanav Oct 4 at 3:25

As I read your comment to some of the answer makes this one is obvious that you use the wrong type of client_id and client_secret for your password grant flow, so your case was the latter. You can verify that by finding the entry in oauth_clients table for your supplied client_id and client_secret

"grant_type": "password,"    
"client_id": "3,"
"client_secret": "8BUPCSyYEdsgtZFnD6bFG6eg7MKuuKJHLsdW0k6g,"

SELECT * FROM oauth_clients WHERE id = 3 AND secret = '8BUPCSyYEdsgtZFnD6bFG6eg7MKuuKJHLsdW0k6g' AND password_client=1;

in your oauth_clients table to check that whether your supplied client_id and client_secret exists for password grant flow in your oauth server. And also you don't manually change the type of client by simply switching the value of that column, you have to create a new client for password grant type.

php artisan migrate

This command will migrate the laravel/passport migration file to generate two default clients for each type that laravel/passport currently supported. You can also create a client for password grant flow with

php artisan passport:client --password

When you have a new client for password grant type, try POSTing again to /oauth/token to generate a token with your new generated client_id and client_secret

Answer 21

Check the redirect/callback url when the client is set up on the passport server. Check the entry where you get the client ID and secret from that the Redirect URL is correct.

I was getting the same error and found the Redirect URL wasn't correct.

It needs to be pointing to the /callback route (in the examples that Taylor gives)

Answer 22

This might help point you in the right direction because we're implementing the password grant ourselves.

1 - On your step 4 instead of running this:

php artisan passport:install

run the following to create your password grant Client:

php artisan passport:client --password

The above command will give a followup question to set the name of your Password Grant Client. Be sure to get the id and secret of this new record in your database.

2 - Your POSTMAN Post request object should be wrapped inside an object similar to the following:

'form_params' => [
    'grant_type' => 'password',
    'client_id' => 'my_client-id',
    'client_secret' => 'my_client-secret',
    'username' => 'username or email', <-pass through variables or something
    'password' => 'my-user-password', <- pass through variables or something
    'scope' => '',
],

Update 1 10/12/2016:

On further investigation of this issue I ran into the exact same spot you're at and was forced to dive into the rabbit hole of passport.

Currently from what I'm seeing the system has set the client identifier as 'authorization_code' when it needs to be 'password'. I'm researching how to resolve this issue you're having as I've ran into it too. I will post code to help people follow along where I've been and what I've been doing but it's 2:40 am right now so I need some sleep.

Update 2 10/12/2016

Been debugging the issue for 7 hours now. There is a method within passport that validates the client. This method takes the inputs you've added in the object (mentioned above) and attempts to get the Client Entity through a client repository class based on what you've passed in. If a Client is found it will then be checked to see if an instance of the Client Entity truly exists within the Client Entity Interface which LOOKS like it pulls in the Client's credentials from the database. However, there is a block of code which returns NULL From what I'm getting in my testing. ALL fields are being introduced properly so far but there seems to be a mix-up between the repository and the interface. Which is causing the error to be thrown.

In the end I feel I'm getting close to solving this issue. Your patience is greatly appreciated. =)

Update 3 10/12/2016

After a long period of debugging I've found the initial problem. There were fields that weren't matching up. In short, it's a setup issue.

SO

The solution in this case is:

DOUBLE CHECK ALL FIELDS In the database with ALL credentials being passed in. Right down to periods, dashes, spaces passwords, client id, client secret, VALID redirect URIs/URLs, grant_types, and scopes (if you're using them):

Make sure the client in the database has an ENUM of 1 under the "password_client" column, if not you need to create one using the mentioned php artisan command above, which I'll reference here:

php artisan passport:client --password

Make sure the secret you're passing in matches what is listed for that client in your database character for character

Make sure the id you're passing matches and is of an integer data type.

Make sure there is a name of some sort for the client

Do not worry about the user_id column when using password grants

make sure the route is correct

Make sure the email your entering in (username) is an actual user inside of your users table within your database (or whatever table you customized the laravel 5.3 system to accept as your users table, I will add a link on how to customize laravel 5.3 system to accept a different users table as default if any need it).

Make sure the grant_type is spelled correctly

Make sure you're set up to accept the response bearer token (meaning the access_token and refresh_token).

Other than that, the initial steps I've outlined in the above part of this Answer should put you back on the right track. There are others here who did mention some similar steps that are helpful but address the same error that is related to a seperate issue as well (which I'm sure is a result of a setup issue related to their specific system setup).

I hope this helps though.

Answer 23

I have managed to get the Laravel Passport - Password_Grant_Token working through RESTED(POSTMAN like service) without any additional controllers or middlewares. Here is how I've managed to do it!

Install the default Auth-Scaffolding in laravel doc's here
Install the passport doc's here
Register a user through auth-scaffolding
Goto RESTED or POSTMAN, or any other like service
Check data in oauth_clients table for your form_params
With RESTED through Request_body_form_data not headers write yours forms_params and send a POST request to */oauth/token (full url required)

(required form_params are grant_type, client_id, client_secret, username and password)

You should get in return an object with 4 keys (token_type, expires_in, access_token & refresh_token) and a status of 200 OK.

If all was succesfull so far...

Open another RESTED window:

Send a GET request to /api/user (again full url required) In headers write 2 name-value pairs (Accept => application/json, Authorization => Bearer ACCESS_TOKEN_GOTTEN_IN_PREVIOUS_REQUEST (to /oauth/token)

And that should be it. You should get an user object as response from /api/user.

Answer 24

I had the same issue, and got fixed by setting basic.auth headers, with client_id as username and secret as password.

Then it worked fine.

Answer 25

Check your credentials first if they are correct, Secondly check your model table which uses \Laravel\Passport\HasApiTokens trait that whether it contains email column, because by default it is used to identify user when validating credentials. if your table has username column or any other column which is used in validating credentials you must define a function findForPassport in that model. like this,

public function findForPassport($username) {
       return self::where('username', $username)->first(); // change column name whatever you use in credentials
    }

I use username and password column to validate a user, in {project_directory}\vendor\laravel\passport\src\Bridge\UserRepository.php

this function validates your credentials,

public function getUserEntityByUserCredentials($username, $password, $grantType, ClientEntityInterface $clientEntity)
    {
        if (is_null($model = config('auth.providers.users.model'))) {
            throw new RuntimeException('Unable to determine user model from configuration.');
        }

        if (method_exists($model, 'findForPassport')) { // if you define the method in that model it will grab it from there other wise use email as key 
            $user = (new $model)->findForPassport($username);
        } else {
            $user = (new $model)->where('email', $username)->first();
        }

        if (! $user || ! $this->hasher->check($password, $user->password)) {
            return;
        }

        return new User($user->getAuthIdentifier());
    }

notice the second if statement and you will get to know what is happening there.

hope this help :)