Tweet
Tweet

Slide 1

Slide 1 text

Papers, Please! Authentication with Laravel Passport Papers, Please! Authentication with Laravel Passport — @hskrasek 1

Slide 2

Slide 2 text

API Authentication Made Easy APIs typically use tokens to authenticate and do not maintain session state between requests. Papers, Please! Authentication with Laravel Passport — @hskrasek 2

Slide 3

Slide 3 text

Installation Papers, Please! Authentication with Laravel Passport — @hskrasek 3

Slide 4

Slide 4 text

Installation — composer require laravel/passport Papers, Please! Authentication with Laravel Passport — @hskrasek 3

Slide 5

Slide 5 text

Installation — composer require laravel/passport — php artisan migrate Papers, Please! Authentication with Laravel Passport — @hskrasek 3

Slide 6

Slide 6 text

Installation — composer require laravel/passport — php artisan migrate — php artisan passport:install Papers, Please! Authentication with Laravel Passport — @hskrasek 3

Slide 7

Slide 7 text

Slide 8

Slide 8 text

'App\Policies\ModelPolicy', ]; /** * Register any authentication / authorization services. * * @return void */ public function boot() { $this->registerPolicies(); Passport::routes(); } } 5

Slide 9

Slide 9 text

And finally... 'guards' => [ 'web' => [ 'driver' => 'session', 'provider' => 'users', ], 'api' => [ 'driver' => 'passport', 'provider' => 'users', ], ], Papers, Please! Authentication with Laravel Passport — @hskrasek 6

Slide 10

Slide 10 text

Frontend Quickstart While Passport ships with consumable JSON APIs, it also comes with pre-built Vue components you may use. Papers, Please! Authentication with Laravel Passport — @hskrasek 7

Slide 11

Slide 11 text

Frontend Quickstart While Passport ships with consumable JSON APIs, it also comes with pre-built Vue components you may use. — php artisan vendor:publish --tag=passport-components Papers, Please! Authentication with Laravel Passport — @hskrasek 7

Slide 12

Slide 12 text

Vue.component( 'passport-clients', require('./components/passport/Clients.vue') ); Vue.component( 'passport-authorized-clients', require('./components/passport/AuthorizedClients.vue') ); Vue.component( 'passport-personal-access-tokens', require('./components/passport/PersonalAccessTokens.vue') ); Papers, Please! Authentication with Laravel Passport — @hskrasek 8

Slide 13

Slide 13 text

Consuming Your API With JavaScript When building an API, it can be extremely useful to be able to consume your own API from your JavaScript application. Papers, Please! Authentication with Laravel Passport — @hskrasek 9

Slide 14

Slide 14 text

'web' => [ // Other middleware... \Laravel\Passport\Http\Middleware\CreateFreshApiToken::class, ], window.axios.defaults.headers.common = { 'X-Requested-With': 'XMLHttpRequest', }; This Passport middleware attaches a laravel_token cookie to outgoing requests, containing an encrypted JWT. Papers, Please! Authentication with Laravel Passport — @hskrasek 10

Slide 15

Slide 15 text

Deploying Passport When deploying for the first time, you'll likely need to run passport:keys Papers, Please! Authentication with Laravel Passport — @hskrasek 11

Slide 16

Slide 16 text

Token Lifetimes By default, Passport issues long-lived tokens /** * Register any authentication / authorization services. * * @return void */ public function boot() { $this->registerPolicies(); Passport::routes(); Passport::tokensExpireIn(now()->addDays(15)); Passport::refreshTokensExpireIn(now()->addDays(30)); } Papers, Please! Authentication with Laravel Passport — @hskrasek 12

Slide 17

Slide 17 text

Issuing Access Tokens Using OAuth2 with authorization codes is how most developers are familiar with OAuth2. Think Facebook, Google, Github. Papers, Please! Authentication with Laravel Passport — @hskrasek 13

Slide 18

Slide 18 text

Managing Clients There are many ways to create clients using Passport Papers, Please! Authentication with Laravel Passport — @hskrasek 14

Slide 19

Slide 19 text

Managing Clients There are many ways to create clients using Passport — passport:client command Papers, Please! Authentication with Laravel Passport — @hskrasek 14

Slide 20

Slide 20 text

Managing Clients There are many ways to create clients using Passport — passport:client command — JSON API Papers, Please! Authentication with Laravel Passport — @hskrasek 14

Slide 21

Slide 21 text

Requesting Tokens You can request tokens using the following methods Papers, Please! Authentication with Laravel Passport — @hskrasek 15

Slide 22

Slide 22 text

Authorization Grant A redirection-based flow, the client redirects to the authorization server Papers, Please! Authentication with Laravel Passport — @hskrasek 16

Slide 23

Slide 23 text

17

Slide 24

Slide 24 text

Refresh Grant Access tokens eventually expire; some grants respond with refresh tokens allowing the client to get a new access token. Papers, Please! Authentication with Laravel Passport — @hskrasek 18

Slide 25

Slide 25 text

19

Slide 26

Slide 26 text

Password Grant This grant allows your other first-party clients, such as mobile apps, to obtain an access token using an email and password. Papers, Please! Authentication with Laravel Passport — @hskrasek 20

Slide 27

Slide 27 text

21

Slide 28

Slide 28 text

Implicit Grant Similar to the authorization code grant; however, the token is returned to the client without an authorization code. Papers, Please! Authentication with Laravel Passport — @hskrasek 22

Slide 29

Slide 29 text

/** * Register any authentication / authorization services. * * @return void */ public function boot() { $this->registerPolicies(); Passport::routes(); Passport::tokensExpireIn(now()->addDays(15)); Passport::refreshTokensExpireIn(now()->addDays(30)); Passport::enableImplicitGrant(); } Papers, Please! Authentication with Laravel Passport — @hskrasek 23

Slide 30

Slide 30 text

24

Slide 31

Slide 31 text

Client Credentials Grant Suitable for machine-to-machine authentication. Papers, Please! Authentication with Laravel Passport — @hskrasek 25

Slide 32

Slide 32 text

Client Credentials Grant Suitable for machine-to-machine authentication. — 'client' => CheckClientCredentials::class, Papers, Please! Authentication with Laravel Passport — @hskrasek 25

Slide 33

Slide 33 text

Client Credentials Grant Suitable for machine-to-machine authentication. — 'client' => CheckClientCredentials::class, — Route::get()->middleware('client') Papers, Please! Authentication with Laravel Passport — @hskrasek 25

Slide 34

Slide 34 text

26

Slide 35

Slide 35 text

Personal Access Tokens Allowing users to issue tokens to themselves can be useful for experimentation. Papers, Please! Authentication with Laravel Passport — @hskrasek 27

Slide 36

Slide 36 text

Protecting Routes Utilize Passport's authentication guard to validate access tokens on incoming requests Route::get('/user', function () { // })->middleware('auth:api'); Papers, Please! Authentication with Laravel Passport — @hskrasek 28

Slide 37

Slide 37 text

Token Scopes Scopes allow your API clients to request a specific set of permissions when requesting authorization to access an account. Papers, Please! Authentication with Laravel Passport — @hskrasek 29

Slide 38

Slide 38 text

Scopes in Practice Papers, Please! Authentication with Laravel Passport — @hskrasek 30

Slide 39

Slide 39 text

Defining API scopes use Laravel\Passport\Passport; Passport::tokensCan([ 'place-orders' => 'Place orders', 'check-status' => 'Check order status', ]); Papers, Please! Authentication with Laravel Passport — @hskrasek 31

Slide 40

Slide 40 text

Checking Scopes 'scopes' => \Laravel\Passport\Http\Middleware\CheckScopes::class, 'scope' => \Laravel\Passport\Http\Middleware\CheckForAnyScope::class, Route::get('/orders', function () { // Access token has both "check-status" and "place-orders" scopes... })->middleware('scopes:check-status,place-orders'); Route::get('/orders', function () { // Access token has either "check-status" or "place-orders" scope... })->middleware('scope:check-status,place-orders'); if ($request->user()->tokenCan('place-orders')) { // } Papers, Please! Authentication with Laravel Passport — @hskrasek 32

Slide 41

Slide 41 text

Whats Inside An Access Token? Papers, Please! Authentication with Laravel Passport — @hskrasek 33

Slide 42

Slide 42 text

Events Passport raises events when issuing access and refresh tokens /** * The event listener mappings for the application. * * @var array */ protected $listen = [ 'Laravel\Passport\Events\AccessTokenCreated' => [ 'App\Listeners\RevokeOldTokens', ], 'Laravel\Passport\Events\RefreshTokenCreated' => [ 'App\Listeners\PruneOldTokens', ], ]; Papers, Please! Authentication with Laravel Passport — @hskrasek 34

Slide 43

Slide 43 text

Testing Passport's actingAs method can be used to specify the correctly authenticated user as well as its scopes. public function testServerCreation() { Passport::actingAs( factory(User::class)->create(), ['create-servers'] ); $response = $this->post('/api/create-server'); $response->assertStatus(200); } Papers, Please! Authentication with Laravel Passport — @hskrasek 35

Slide 44

Slide 44 text

About Me Hunter Skrasek @hskrasek github.com/hskrasek https://joind.in/talk/ab0ec Papers, Please! Authentication with Laravel Passport — @hskrasek 36