Laravel Passport - which grant to use for my users apps?


Laravel Passport - which grant to use for my users apps?



I have application where users can register and add their own applications (websites, mobile applications).



For each of these applications, I want to give access to my API and allow to get products form my database.



For example:
User X signup in my app, adds his blog user-X-blog.com and get access token. Next he can call to my API and get some products to show on his blog post.



Which grant should I implement to make my API based on Laravel Passport safe and useful (each user application with its own token, no user login required to make api call, long-lived tokens)?



Is it good idea to create for each user apps dedicated client and use client credentials grant? It doesn't look very safe for me (or maybe I'm wrong).




2 Answers
2



In your situation I think using Personal Access Tokens is the best option:



Each unique user who signs up and adds his blog post gets a unique token:


$user = AppUser::find(1);

// Creating a token without scopes...
$token = $user->createToken('Token Name')->accessToken;

// Creating a token with scopes...
$token = $user->createToken('My Token', ['place-orders'])->accessToken;



You can then make requests and pass the token as an Authorization Header:


$response = $client->request('GET', '/api/user', [
'headers' => [
'Accept' => 'application/json',
'Authorization' => 'Bearer '.$accessToken,
],
]);



You can also set lifetimes for your tokens in the boot method of your AuthServiceProvider:


boot


AuthServiceProvider


public function boot()
{
$this->registerPolicies();

Passport::routes();

Passport::tokensExpireIn(now()->addDays(15));

Passport::refreshTokensExpireIn(now()->addDays(30));
}





personal access token is never used for third party access
– rkj
2 days ago



From your requirement it is clear that third party access your api. There are 2 way to allow third party access



But this approach is suitable if your client's user has account in your system. Like we use facebook, google etc.



You can use the second option. What you can do is signup your client at your side and generate client ID and client secret and then they will use this information to authenticate from their server to your server and your server return the access token. No client involvement and after that either their server or client can directly access your api using accessToken.


client ID


client secret



Hope it may clear your.






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Comments

Post a Comment

Popular posts from this blog

paramiko-expect timeout is happening after executing the command

paramiko-expect timeout is happening after executing the command Can someone help me why timeout is happening after executing the command .I am trying to SSH to a machine and execute a command.I want to store the result of the executed command . I have referred paramiko-timeout but i didn't get my expected result. import traceback try: import paramiko except ImportError: raise Exception("Please install paramiko , pip install paramiko") import pexpect from paramiko_expect import SSHClientInteraction def main(): HOSTNAME = "minion5.net" USERNAME = "root" PASSWORD = "help@432" PROMPT = "root@*:~$s+" try: client = paramiko.SSHClient() client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(hostname=HOSTNAME, username=USERNAME, password=PASSWORD) with SSHClientInteraction(client, timeout=20, display=True) as interact: ...
Read more

Opening a url is failing in Swift

Opening a url is failing in Swift breakpointing inside the callback and logging success shows false. I added itms-apps to my plist: LSApplicationQueriesSchemes and put this in my app delegate: func application(_ app: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any] = [:]) -> Bool { return true } func moreTapped() { let url = NSURL(string: "itms-apps://itunes.com/developer/quantum-productions/id979315877") if #available(iOS 10.0, *) { UIApplication.shared.open(url! as URL, options: [:], completionHandler: {(success: Bool) in }) } else { UIApplication.shared.openURL(url! as URL) } } Are you testing on a real device? – rmaddy Jun 21 at 23:57 I try on a device, get "Cannot Connect to App Store". Device is online ...
Read more

Export result set on Dbeaver to CSV

Export result set on Dbeaver to CSV Normally I use Dbeaver for windows and always export my result set like this: run my query --> select the result --> export the result set --> select export to clipboard --> done This step by step puts my result set in my clipboard and I can paste it wherever I want to work with it. The problem is that now I am using dbeaver for mac and this guide is not working. I can go on until the moment that I select my result set like in the image below: exporting data set But once I go further in the process, in the last step I get: no query Note that in "source" it was suppose to show the query that originated the result set, but instead it says just "select. As a result it does't select my result or anything (besides being "successful"). Normally my query would show up there automatically and I couldn't find any option that corrects this problem in the menus. Please help me! Thanks. Aft...
Read more