Papers, Please! API Authentication with Laravel Passport

Transcript

1. Papers, Please! Authentication with Laravel Passport Papers, Please! Authentication with

   Laravel Passport — @hskrasek 1

2. API Authentication Made Easy APIs typically use tokens to authenticate

   and do not maintain session state between requests. Papers, Please! Authentication with Laravel Passport — @hskrasek 2

3. Installation Papers, Please! Authentication with Laravel Passport — @hskrasek 3

4. Installation — composer require laravel/passport Papers, Please! Authentication with Laravel

   Passport — @hskrasek 3

5. Installation — composer require laravel/passport — php artisan migrate Papers,

   Please! Authentication with Laravel Passport — @hskrasek 3

6. Installation — composer require laravel/passport — php artisan migrate —

   php artisan passport:install Papers, Please! Authentication with Laravel Passport — @hskrasek 3

7. <?php namespace App; use Laravel\Passport\HasApiTokens; use Illuminate\Notifications\Notifiable; use Illuminate\Foundation\Auth\User as

   Authenticatable; class User extends Authenticatable { use HasApiTokens, Notifiable; } Papers, Please! Authentication with Laravel Passport — @hskrasek 4

8. <?php namespace App\Providers; use Laravel\Passport\Passport; use Illuminate\Support\Facades\Gate; use Illuminate\Foundation\Support\Providers\AuthServiceProvider as

   ServiceProvider; class AuthServiceProvider extends ServiceProvider { /** * The policy mappings for the application. * * @var array */ protected $policies = [ 'App\Model' => 'App\Policies\ModelPolicy', ]; /** * Register any authentication / authorization services. * * @return void */ public function boot() { $this->registerPolicies(); Passport::routes(); } } 5

9. And finally... 'guards' => [ 'web' => [ 'driver' =>

   'session', 'provider' => 'users', ], 'api' => [ 'driver' => 'passport', 'provider' => 'users', ], ], Papers, Please! Authentication with Laravel Passport — @hskrasek 6

10. Frontend Quickstart While Passport ships with consumable JSON APIs, it

    also comes with pre-built Vue components you may use. Papers, Please! Authentication with Laravel Passport — @hskrasek 7

11. Frontend Quickstart While Passport ships with consumable JSON APIs, it

    also comes with pre-built Vue components you may use. — php artisan vendor:publish --tag=passport-components Papers, Please! Authentication with Laravel Passport — @hskrasek 7

12. Vue.component( 'passport-clients', require('./components/passport/Clients.vue') ); Vue.component( 'passport-authorized-clients', require('./components/passport/AuthorizedClients.vue') ); Vue.component( 'passport-personal-access-tokens',

    require('./components/passport/PersonalAccessTokens.vue') ); <passport-clients></passport-clients> <passport-authorized-clients></passport-authorized-clients> <passport-personal-access-tokens></passport-personal-access-tokens> Papers, Please! Authentication with Laravel Passport — @hskrasek 8

13. Consuming Your API With JavaScript When building an API, it

    can be extremely useful to be able to consume your own API from your JavaScript application. Papers, Please! Authentication with Laravel Passport — @hskrasek 9

14. 'web' => [ // Other middleware... \Laravel\Passport\Http\Middleware\CreateFreshApiToken::class, ], window.axios.defaults.headers.common =

    { 'X-Requested-With': 'XMLHttpRequest', }; This Passport middleware attaches a laravel_token cookie to outgoing requests, containing an encrypted JWT. Papers, Please! Authentication with Laravel Passport — @hskrasek 10

15. Deploying Passport When deploying for the first time, you'll likely

    need to run passport:keys Papers, Please! Authentication with Laravel Passport — @hskrasek 11

16. Token Lifetimes By default, Passport issues long-lived tokens /** *

    Register any authentication / authorization services. * * @return void */ public function boot() { $this->registerPolicies(); Passport::routes(); Passport::tokensExpireIn(now()->addDays(15)); Passport::refreshTokensExpireIn(now()->addDays(30)); } Papers, Please! Authentication with Laravel Passport — @hskrasek 12

17. Issuing Access Tokens Using OAuth2 with authorization codes is how

    most developers are familiar with OAuth2. Think Facebook, Google, Github. Papers, Please! Authentication with Laravel Passport — @hskrasek 13

18. Managing Clients There are many ways to create clients using

    Passport Papers, Please! Authentication with Laravel Passport — @hskrasek 14

19. Managing Clients There are many ways to create clients using

    Passport — passport:client command Papers, Please! Authentication with Laravel Passport — @hskrasek 14

20. Managing Clients There are many ways to create clients using

    Passport — passport:client command — JSON API Papers, Please! Authentication with Laravel Passport — @hskrasek 14

21. Requesting Tokens You can request tokens using the following methods

    Papers, Please! Authentication with Laravel Passport — @hskrasek 15

22. Authorization Grant A redirection-based flow, the client redirects to the

    authorization server Papers, Please! Authentication with Laravel Passport — @hskrasek 16

23. 17

24. Refresh Grant Access tokens eventually expire; some grants respond with

    refresh tokens allowing the client to get a new access token. Papers, Please! Authentication with Laravel Passport — @hskrasek 18

25. 19

26. Password Grant This grant allows your other first-party clients, such

    as mobile apps, to obtain an access token using an email and password. Papers, Please! Authentication with Laravel Passport — @hskrasek 20

27. 21

28. Implicit Grant Similar to the authorization code grant; however, the

    token is returned to the client without an authorization code. Papers, Please! Authentication with Laravel Passport — @hskrasek 22

29. /** * Register any authentication / authorization services. * *

    @return void */ public function boot() { $this->registerPolicies(); Passport::routes(); Passport::tokensExpireIn(now()->addDays(15)); Passport::refreshTokensExpireIn(now()->addDays(30)); Passport::enableImplicitGrant(); } Papers, Please! Authentication with Laravel Passport — @hskrasek 23

30. 24

31. Client Credentials Grant Suitable for machine-to-machine authentication. Papers, Please! Authentication

    with Laravel Passport — @hskrasek 25

32. Client Credentials Grant Suitable for machine-to-machine authentication. — 'client' =>

    CheckClientCredentials::class, Papers, Please! Authentication with Laravel Passport — @hskrasek 25

33. Client Credentials Grant Suitable for machine-to-machine authentication. — 'client' =>

    CheckClientCredentials::class, — Route::get()->middleware('client') Papers, Please! Authentication with Laravel Passport — @hskrasek 25

34. 26

35. Personal Access Tokens Allowing users to issue tokens to themselves

    can be useful for experimentation. Papers, Please! Authentication with Laravel Passport — @hskrasek 27

36. Protecting Routes Utilize Passport's authentication guard to validate access tokens

    on incoming requests Route::get('/user', function () { // })->middleware('auth:api'); Papers, Please! Authentication with Laravel Passport — @hskrasek 28

37. Token Scopes Scopes allow your API clients to request a

    specific set of permissions when requesting authorization to access an account. Papers, Please! Authentication with Laravel Passport — @hskrasek 29

38. Scopes in Practice Papers, Please! Authentication with Laravel Passport —

    @hskrasek 30

39. Defining API scopes use Laravel\Passport\Passport; Passport::tokensCan([ 'place-orders' => 'Place orders',

    'check-status' => 'Check order status', ]); Papers, Please! Authentication with Laravel Passport — @hskrasek 31

40. Checking Scopes 'scopes' => \Laravel\Passport\Http\Middleware\CheckScopes::class, 'scope' => \Laravel\Passport\Http\Middleware\CheckForAnyScope::class, Route::get('/orders', function

    () { // Access token has both "check-status" and "place-orders" scopes... })->middleware('scopes:check-status,place-orders'); Route::get('/orders', function () { // Access token has either "check-status" or "place-orders" scope... })->middleware('scope:check-status,place-orders'); if ($request->user()->tokenCan('place-orders')) { // } Papers, Please! Authentication with Laravel Passport — @hskrasek 32

41. Whats Inside An Access Token? Papers, Please! Authentication with Laravel

    Passport — @hskrasek 33

42. Events Passport raises events when issuing access and refresh tokens

    /** * The event listener mappings for the application. * * @var array */ protected $listen = [ 'Laravel\Passport\Events\AccessTokenCreated' => [ 'App\Listeners\RevokeOldTokens', ], 'Laravel\Passport\Events\RefreshTokenCreated' => [ 'App\Listeners\PruneOldTokens', ], ]; Papers, Please! Authentication with Laravel Passport — @hskrasek 34

43. Testing Passport's actingAs method can be used to specify the

    correctly authenticated user as well as its scopes. public function testServerCreation() { Passport::actingAs( factory(User::class)->create(), ['create-servers'] ); $response = $this->post('/api/create-server'); $response->assertStatus(200); } Papers, Please! Authentication with Laravel Passport — @hskrasek 35

44. About Me Hunter Skrasek @hskrasek github.com/hskrasek https://joind.in/talk/ab0ec Papers, Please! Authentication

    with Laravel Passport — @hskrasek 36