我刚刚阅读了 https://laravel.com/docs/5.6/passport 文档我有一些疑问,希望有人可以帮助我:
首先,在某些情况下,我想使用 Passport 作为为我的移动应用(第一方应用)提供 Oauth 身份验证的一种方式.
当我使用 php artisanpassport:client --password 时,我会得到一个客户端 ID 和一个客户端密码.这个值是否必须固定在我的应用程序上?例如将它们存储为硬编码或作为设置"文件?如果不应该存储这些值,那么它应该如何工作?
为了向我的应用程序注册用户,我使用:$user->createToken('The-App')->accessToken; 我知道 accessToken 将是一个用于将我的所有请求作为标头发送(授权 => Bearer $accessToken),但The-App"值究竟是什么?
我使用以下 URL 登录用户:http://example.com/oauth/令牌并作为参数发送:
{"用户名": "user@email.com","密码": "用户密码","grant_type": "密码","client_id": 1,//我从命令中得到的客户端 ID(问题 1)"client_secret": "Shhh"//我从命令中得到的 Client Secret(问题 1)}
当我使用前一个端点登录用户时,我得到一个 refresh_token,我读到我可以通过 http://example.com/oauth/token/refresh 但我尝试请求刷新我收到错误 419,我从 csrf 验证中删除了 url oauth/token/refresh,现在我取回 "message": "Unauthenticated.",我正在提出以下请求:
内容类型:x-www-form-urlencodedgrant_type: refresh_tokenrefresh_token: the-refresh-token//我从命令中得到的刷新令牌(问题 3)client_id: 1//我从命令中得到的客户端 ID(问题 1)client_secret: Shhh//我从命令中得到的 Client Secret(问题 1)范围:''
我应该使用这个端点吗?或者考虑到我正在尝试开发的应用程序没有必要.
oauth/clients*、oauth/personal-access-tokens* 有没有办法从passport发布的端点中删除它们?非常感谢您的帮助!
如果你使用自己的 api 那么你就不需要调用 http://example.com/oauth/token用于用户登录,因为那时您需要在应用程序端存储 client_id 和 client_secret.最好创建一个用于登录的 api,然后您可以在那里检查凭据并生成个人令牌.
公共函数登录(Request $request){$credentials = $request->only('email', 'password');如果 (Auth::attempt($credentials)) {//认证通过...$user = Auth::user();$token = $user->createToken('Token Name')->accessToken;返回响应()-> json($token);}}<块引用>
最后,我从护照中获得了很多端点不认为我会使用例如:oauth/clients*,oauth/personal-access-tokens* 有没有办法将它们从护照发布的端点?
您需要从 AuthServiceProvider 中删除 Passport::routes(); 并手动仅放置所需的护照路线.我认为你只需要 oauth/token 路由.
The-App"的价值究竟是什么?
如果您检查 oauth_access_tokens 表,它有名称字段.$user->createToken('Token Name')->accessToken; 这里是存储在 name 字段中的 Token Name".
如何将 Laravel Passport 与密码授予令牌一起使用?
要生成密码授予令牌,您必须在应用端存储 client_id 和 client_secret(不推荐,请查看 this ) 并假设如果您必须重置 client_secret 然后旧版本的应用程序停止工作,这些是问题.要生成密码授予令牌,您必须像步骤 3 中提到的那样调用此 API.
$http = new GuzzleHttpClient;$response = $http->post('http://your-app.com/oauth/token', ['form_params' =>['grant_type' =>'密码','client_id' =>'客户ID','client_secret' =>'客户机密','用户名' =>'taylor@laravel.com','密码' =>'我的密码','范围' =>'',],]);返回 json_decode((string) $response->getBody(), true);<块引用>
从refresh_token
$http = new GuzzleHttpClient;$response = $http->post('http://your-app.com/oauth/token', ['form_params' =>['grant_type' =>'refresh_token','refresh_token' =>'刷新令牌','client_id' =>'客户ID','client_secret' =>'客户机密','范围' =>'',],]);返回 json_decode((string) $response->getBody(), true);你可以看看这个https://laravel.com/docs/5.6/passport#implicit-grant-tokens 也是.
I just read the https://laravel.com/docs/5.6/passport documentation and I have some doubts that hopefully someone could help me with:
First, some context, I want to use Passport as a way to provide Oauth authentication for my mobile app (first-party app).
When I use php artisan passport:client --password I get back a Client ID and a Client Secret. Does this value have to be fixed on my app? for example storing them hardcoded or as a "settings" file? If the values shouldn't be stored then how should it work?
To register a user to my app I use: $user->createToken('The-App')->accessToken; I get that the accessToken will be the one used for sending on all my requests as a Header (Authorization => Bearer $accessToken) but what exactly is "The-App" value for?
For login the user I'm using the URL: http://example.com/oauth/token and sending as parameters:
{ "username": "user@email.com", "password": "userpassword", "grant_type": "password", "client_id": 1, // The Client ID that I got from the command (question 1) "client_secret": "Shhh" // The Client Secret that I got from the command (question 1) }
When I login the user using the previous endpoint I get back a refresh_token, I read that I could refresh the token through http://example.com/oauth/token/refresh but I try to request the refresh I got Error 419, I removed the url oauth/token/refresh from the csrf verification and now I get back "message": "Unauthenticated.", I'm making the following request:
Content-Type: x-www-form-urlencoded grant_type: refresh_token refresh_token: the-refresh-token // The Refresh Token that I got from the command (question 3) client_id: 1 // The Client ID that I got from the command (question 1) client_secret: Shhh // The Client Secret that I got from the command (question 1) scope: ''
Should I use this endpoint? or is not necessary given the app I'm trying to develop.
oauth/clients*, oauth/personal-access-tokens* is there a way to remove them from the endpoints published by passport?Thanks a lot for your help!
If you are consuming your own api then you don't need to call http://example.com/oauth/token for user login because then you need to store client_id and client_secret at app side. Better you create an api for login and there you can check the credentials and generate the personal token.
public function login(Request $request)
{
$credentials = $request->only('email', 'password');
if (Auth::attempt($credentials)) {
// Authentication passed...
$user = Auth::user();
$token = $user->createToken('Token Name')->accessToken;
return response()->json($token);
}
}
Finally, there are a lot of endpoints that I get from passport that I don't think I will use for example: oauth/clients*, oauth/personal-access-tokens* is there a way to remove them from the endpoints published by passport?
You need to remove Passport::routes(); from AuthServiceProvider and manually put only required passport routes. I think you only need oauth/token route.
what exactly is "The-App" value for?
if you check oauth_access_tokens table it has name field. $user->createToken('Token Name')->accessToken; here the "Token Name" stored in name field.
How to use Laravel Passport with Password Grant Tokens?
To generate password grant token you have to store client_id and client_secret at app side (not recommended, check this ) and suppose if you have to reset the client_secret then the old version app stop working, these are the problems. To generate password grant token you have to call this api like you mention in step 3.
$http = new GuzzleHttpClient;
$response = $http->post('http://your-app.com/oauth/token', [
'form_params' => [
'grant_type' => 'password',
'client_id' => 'client-id',
'client_secret' => 'client-secret',
'username' => 'taylor@laravel.com',
'password' => 'my-password',
'scope' => '',
],
]);
return json_decode((string) $response->getBody(), true);
Generate token from
refresh_token
$http = new GuzzleHttpClient;
$response = $http->post('http://your-app.com/oauth/token', [
'form_params' => [
'grant_type' => 'refresh_token',
'refresh_token' => 'the-refresh-token',
'client_id' => 'client-id',
'client_secret' => 'client-secret',
'scope' => '',
],
]);
return json_decode((string) $response->getBody(), true);
You can look this https://laravel.com/docs/5.6/passport#implicit-grant-tokens too.
这篇关于如何将 Laravel Passport 与密码授予令牌一起使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!