Laravel Passport: 401 Unauthenticated, but encryption keys are the same

Question

I have a weird problem with Passport authentication deploying my application to a new site, in spite of the fact that I haven't had a problem with this before.

I'm using Passport's password grant feature to log in to the application (Laravel 5.4). This happens by the user posting his username/password as JSON to the site, and from there it posts those credentials to OAuth/token to get the API key for the site. This has worked fine in the past, and my OAuth keys are committed to the repository.

The other day I managed to deploy the site to a new server (with the same OAuth keys), regenerated (I think) the app key, loaded my data that has the encrypted passwords, and authentication worked fine. Today, however, I did the same thing on a different branch and now logging in returns 401 Unauthorized.

I've done nearly every permutation I could think of: delete the OAuth keys, regenerate app key, reinstall passport, and yet the app refuses to log in. I don't believe it has anything to do with the source code because no changes I made on this branch would affect the login system.

I even tried copying the working site's app key and OAuth keys to the broken site still don't work.

What makes this even more puzzling to me is that I have another site with a different app key, different OAuth keys, but the same data, and the login system works fine.

I don't understand the league/oauth2 package enough to understand why this isn't working. What am I missing?

Thanks, Matt

Answer 1

Well, bad code doesn't pay.

What I didn't mention was that the site I'm trying to deploy is an attempt to move a domain over to a new server. Both the broken site and it's active sister site have the same domain name. This is the code that posts to my own domains /oauth/token endpoint:

$username = Input::json('username');
$password = Input::json('password');

$page = Input::get('page');

$client = Client::find(2);

$http = new GuzzleHttp\Client();

try {
    $response = $http->post(url('oauth/token'), [   # <-- see the problem?
        'form_params' => [
            'grant_type'    => 'password',
            'client_id'     => '2',
            'client_secret' => $client->secret,
            'username'      => $username,
            'password'      => $password,
            'scope'         => '',
        ],
    ]);

#...

The problem is rather hilarious. Since the DNS hasn't switched for the site yet, the requests to my own site are going to the old site, not this one. Hence I'm getting back Unauthenticated. Because I'm not.

The solution was to edit the /etc/hosts file on the server to point the domain to itself. That way, any calls to its own api will actually go its own api. Problem solved.