Laravel Passport - Authenticate using postman

Question

I have setup Passport in Laravel 5 and am creating a token when a user registers by using this..

$user->createToken('My Token')->accessToken;

When I create a new user then I can see an entry in the oauth_access_tokens table that looks like this, I have shortened the id for display...

id     | user_id | client_id | name     | scopes | revoked
-----------------------------------------------------------
765765 | 193     | 1         | My Token | []     | 0

The API route I want to allow access to is protected, now I am trying to allow access by passing the following headers in Postman...

Authorization | Bearer 765765
Accept        | application/json

But this is returning a response of unauthenticated, where am I going wrong?

Answer 1

Laravel Passport uses oAuth2. It's not as simple as generating a user token and being able to use it to authenticate. oAuth2 requires another step, which is called a token exchange.

You will have seen the oAuth2 process in action when you log into a website with Facebook. You click the login with Facebook button and you are sent to Facebook and you are presented with a dialog where you're asked to confirm or deny an app access to your account (Usually, specific parts of your account, a.k.a scopes).

That website will have it's own client account with Facebook and will have its own client ID and client secret. When you click that button, the website sends you to Facebook in order to gain your permission and an authorization code from Facebook. The website passes its client ID, requested permissions (scopes), a randomly generated session state (So it can verify later) and a URL to redirect to Facebook where you are shown the dialog.

When you accept, Facebook generates what is called an authorization code and sends you back on your way to the website (The redirect URL specified) along with the sessions state (So the website is able to verify the request) and the authorization code.

The website, on its back end will then ask Facebook to exchange your authorization code for an access token and will provide its client ID and client secret so Facebook is able to verify its authenticity. Facebook then responds with an access token and an expiry time.

Now, the website is able to access your account using the access token to be able to grab the requested information (Such as your email address for login).

It's also possible to do skip a lot of this process and not require the user to have to follow the whole redirection flow. To do this, (In Passport at least), you will need a password grant client. This is usually what you would do if you are using oAuth2 to authenticate an API.

The process here would be to generate a password grant client:

php artisan passport:client --password

In your database, the you will find in the oauth_clients table, a password grant client with a client ID and secret. You would need to give this to whoever is consuming your API (Such as a mobile/cellphone app).

Now when your user wants to log in, the consumer of your API (In this case Postman) would need to provide the user's credentials (username/password) as well as the client ID and secret for your password grant client. It's also necessary to tell Passport that you want to authorize via password grant.

The example given in the docs looks like this:

$response = $http->post('http://your-app.com/oauth/token', [
    'form_params' => [
        'grant_type' => 'password',
        'client_id' => 'client-id',
        'client_secret' => 'client-secret',
        'username' => 'taylor@laravel.com',
        'password' => 'my-password',
        'scope' => '',
    ],
]);

When successful, Passport will return a 200 response and will return some JSON containing an access token and a refresh token. You use the access token to access the user's account and you use the refresh token to get a new access token (without requiring the user to log in again).

It is this access token that you need to provide as the Bearer in your Authorization header.