Own users table instead of oauth_clients with OAuth2-server for Lumen

Question

I've successfully implemented an OAuth2-server in my Lumen API with this Tutorial. The tutorial uses the OAuth2 server for Laravel + Lumen.

Unfortunately the documentation part of creating own grants isn't there yet.

In my database there is the oauth_clients table now. But I have also an own table users. There are some more information about user. All entities are referencing to this table.

Now I want to check the users table for the credentials instead of the oauth_clients table. Is this possible?

Answer 1

oauth_clients table is for managing client_id and client_secret (along with scopes etc) only.

You need to use PasswordGrant instead of ClientCredentialsGrant in order to authenticate users (and thus dealing with users table along with oauth_clients).

See: https://github.com/lucadegasperi/oauth2-server-laravel/blob/master/docs/authorization-server/password.md for more details

PS: In Lumen you might get an exception with this:

  if (Auth::once($credentials)) {
      return Auth::user()->id;
  }

So you'll need to rewrite it in a way similar to this:

$user = User::where('username', strtolower($username))->first();

if (!isset($user)) {
    return null;
}

if (app('hash')->check($password, $user->getAuthPassword())) {
    return $user->id;
}

return null;

NOTE: You still need oauth_clients table with at least one client_id/client_secret combo defined (notice that secret isn't a hash and is expected to be plain)

After setting it up you'll be getting your access token like (not exactly like this, depends on your implementation):

curl -X POST http://yourapp/access_token -d "grant_type=password&client_id=test&client_secret=testsecret&username=testuser&password=testpass"