CODEWITHSUNDEEP
phplaravellaravel-8laravel-passport
Qube
Qube

Reputation: 41

Laravel passport: clear session from mobile

I'm using authorization code grant with PKCE. I tried to revoke the token via api without issue (the route is under auth:api middleware). However, the server side session is not over and when i try to login again, it skips the login form and jumps to the authorization prompt or just to callback page. I tried to create a route in the web middleware which kills the session but always stores the cookie 'laravel_session' and 'XSRF-TOKEN' and can't delete them.

I would like to let user click logout button from mobile app and user shall go through whole oauth2 flow when login again instead of skip the login form at server side.

public function logoutAPI(){
        //clear server side session 
        Auth::guard('web')->logout();
        Session::flush();
        // logout and revoke mobile app token
        Auth::user()->token()->revoke();
        $tokenId = Auth::user()->token()->id;

        $tokenRepository = app('Laravel\Passport\TokenRepository');
        $refreshTokenRepository = app('Laravel\Passport\RefreshTokenRepository');
        $tokenRepository->revokeAccessToken($tokenId);
        $refreshTokenRepository->revokeRefreshTokensByAccessTokenId($tokenId);

        return response()->json([
            'msg' => 'You have been succesfully logged out'
        ],200);

Noted that, I will not use other grant type as reference here https://oauth2.thephpleague.com/authorization-server/which-grant/

Upvotes: 1

Views: 429

Answers (1)

Hafez Divandari
Hafez Divandari

Reputation: 9029

You may use prompt=login when redirecting for authorization on Laravel Passport >= 11.3 This causes the app to always prompt the user to re-login to the application, even if they already have an existing session.

Check docs for more info: https://laravel.com/docs/9.x/passport#requesting-tokens-redirecting-for-authorization

Upvotes: 0

Related Questions