Laravel 5.3 Passport JWT Authentication

Question

Earlier when I was using laravel 5.2, i used a third party package https://github.com/tymondesigns/jwt-auth/ for making JWT based authentication. Where we just had to pass the username and password to get a token.

Now in laravel 5.3 with the introduction of passport I want to make a JWT based authentication but passport requires me to specify the client_id and client_secret along with the username and password. which was not there in tymondesigns/jwt-auth.

If I make a request without the client_id then it throws an error http://pix.toile-libre.org/upload/original/1482908288.png but when I pass the client_id and client_secret then it works fine http://pix.toile-libre.org/upload/original/1482908143.png

How can I make a JWT request in laravel 5.3 and passport with just the username and password and without specifying client_id and client_secret.

Phantom007 · Accepted Answer · 2017-08-17T05:54:25.907

51

So, finally I am answering my own question. Hopefully this will help someone facing the similar problem.

JWT authentication can be done using Laravel 5.3 passport, just follow the following steps:

Install Passport normally as described in this link https://laravel.com/docs/master/passport#installation

OR follow these steps:

composer require laravel/passport
add Laravel\Passport\PassportServiceProvider::class, to your app providers
php artisan migrate
php artisan passport:install
Add HasApiTokens trait to your user model
Passport::routes(); in AppServiceProvider
Configure api driver to passport

Once done, create a UserController and add the following methods in it:

public function auth(Request $request)
{

  $params = $request->only('email', 'password');

  $username = $params['email'];
  $password = $params['password'];

  if(\Auth::attempt(['email' => $username, 'password' => $password])){
    return \Auth::user()->createToken('my_user', []);
  }

  return response()->json(['error' => 'Invalid username or Password']);
}

  public function index(Request $request)
  {
    return $request->user();
  }

In routes/api.php, add the following routes:

Route::post('auth', 'UserController@auth');

Route::group(['middleware' => 'auth:api'], function(){

  Route::resource('user', 'UserController@index');

});

Now make a POST request to http://localhost:8000/auth with the email address and password as shown in the screenshot (http://pix.toile-libre.org/upload/original/1483094937.png) This will get you the accessToken, you can use this token to make other requests in your application with the Authorization header and Bearer XXX where xxx is the accessToken you received from /api/auth endpoint.

Now, make a GET request to /api/user with the Authorization header and the token value, this will return the authenticated user's details. (eg: http://pix.toile-libre.org/upload/original/1483095018.png)

I have also posted these steps on my blog at http://chatterjee.pw/larvel-passport-jwt-authentication/

I hope this helps!

edited Aug 17 '17 at 05:54

answered Dec 30 '16 at 10:56

Phantom007

2,079
4
25
37

can we make custom token? not from user's object – Donny Gunawan Sep 16 '17 at 18:55
10

Thanks for your share, but: 1. There is no refresh_token 2. I didn't find here any JWT related staff, it is just access_token 3. I didn't understand why you spent so many time on this, it is the "attempt()" method of "Auth" and "createToken()" method of "HasApiTokens" trait – Avik Aghajanyan Oct 13 '17 at 10:15
11

This token solution is ABSOLUTELY NOT a JWT and is therefore not an answer to your original question, making this question and answer misleading for other people. Wasted a lot of time thinking this was a JWT solution due to the Q&A here. – Tim Ogilvy Dec 29 '17 at 04:05
@TimOgilvy Laravel uses JWT behind the scene for personal token authentication so yes this is a JWT based authentication. – Phantom007 Mar 06 '18 at 04:35
@Phantom007 did you mean this: https://laravel.com/docs/5.6/passport#personal-access-tokens – llioor Mar 20 '18 at 21:10
Worked in a single shot! – Ariful Haque Apr 19 '18 at 06:28
2

This is not a JWT. Its the pure simple passport authentication with custom routes. – varun sharma Apr 16 '19 at 08:37
3

This is a personal access token and not JWT. It is a security liability making personal access token available in client side javascript as they never expire and often give users complete access to your api if you haven't carefully crafted your scopes, and middleware for that matter depending on the nature of your application and access control. – danrichards Jun 01 '19 at 13:54
I'm confused by these comments, if it can be decoded by jwt.io (or any other jwt decoder) does that not mean it's not a JWT? Even if it were a PAT that doesn't mean it's not a JWT? – Kevin Redman Nov 19 '21 at 23:45

score 1 · Answer 2 · answered May 16 '18 at 12:28

1

If you are not interested in OAuth and Client thing, you probably want to use pure JWT authentication, if so, you can check out this package:

https://github.com/miladrahimi/larajwt

It declares a new authentication driver named "jwt" to protect your authenticated routes, it provides a service to generate jwt from your users, and some other tools like logout, user model caching, filters for checking extra properties of users and so on.

answered May 16 '18 at 12:28

Milad Rahimi

3,464
3
27
39

1

I find your package clearer to use, compared with Passport. I don't usually need to define clients management for my API's. Do you suggest to use Passport anyway? I'm asking because the larajwt package is already archived. Thanks. – JCarlosR Jun 17 '19 at 06:56
1

@JCarlos, Actually I have no time to continue developing this package but you should know this package works fine and you can fork so you can bug fix if there is a bug. – Milad Rahimi Jun 17 '19 at 07:20

score 0 · Answer 3 · answered Jun 02 '18 at 14:19

$request->user(); was not working for me because the middleware is configured to web, which I also need + api. The docs are not clear about how to control for both scenarios.

I was able to get users details with get Auth Bearer + token, and on Laravel:

use Illuminate\Support\Facades\Auth;

Route::get('/user', function() {
   return Auth::guard('api')->user();
});

score 0 · Answer 4 · answered Aug 20 '19 at 14:07

You got this all mixed up. Passport is ideal for Facebook-like applications where you want your users’ clients to securely authenticate to your API.

If all you are doing is building a rest API for example a health and fitness app, using the Tyson JWT package suffices. This is because you don’t have the middleman.

Laravel 5.3 Passport JWT Authentication

4 Answers4

Linked