4

I tried to find where the token returned by the method $user->createToken('MyApp')->accessToken; is stored on the database but I can't seem to find it. Is it stored in the server in the first place? If so, where?

If it's not stored on the server because it's self-contained, why did Laravel's developers put $table->rememberToken(); in the default create_users_table.php migration? What's the purpose of the column remember_token?

Thank you for your help.

JacopoStanchi
  • 1,962
  • 5
  • 33
  • 61

3 Answers3

20

I guess you could say that some part of the token is stored in the database.

The token returned is JWT (JSON Web Token). Encoded in it is information about the token, like its expiration time, the algorithm used to hash it, the token scopes and its ID (in the payload it's named jti). That ID is what's stored in the oauth_access_tokens table.

In this method in the \Laravel\Passport\PersonalAccessTokenFactory::findAccessToken class you can see how Laravel is checking if the token is in the database:

 /**
 * Get the access token instance for the parsed response.
 *
 * @param  array  $response
 * @return Token
 */
protected function findAccessToken(array $response)
{
    return $this->tokens->find(
        $this->jwt->parse($response['access_token'])->getClaim('jti')
    );
}

If you get a valid token and paste it in this online tool you will see the structure of it. Here's how it looks:

screenshot of the parsed token

Now, knowing the expected format of the payload, if you play around a bit with this information and the data you have in your oauth_access_tokens (id, scope, creation and expiration date) you should be able to create a valid token.

Elena Kolevska
  • 617
  • 5
  • 10
  • Is it good practice to use only token id to authorize? We don't need expiration date and the scope is being checked server side. – Amirreza Nasiri Aug 19 '19 at 23:21
  • Great Answer! Is there a way to manually encode 'access_token' from oauth_access_tokens.id as same as passport do? – Michel Aug 29 '20 at 12:52
  • 1
    nice! was wondering how passport is able to identify the user with the `access_token`, thank you!! – Manas Oct 05 '20 at 13:00
1

Remember token in user table is for "Remember Me" when you log in on web. Laravel: What is “remember_token” in the “users” DB table?

If you use passport and create API you can find token id in oauth_access_tokens in database.

Widziks
  • 72
  • 1
  • 9
  • 3
    Thank you, but that's not exactly the same token. The `id` in the `oauth_access_tokens` table is way smaller than what is returned by `$user->createToken('MyApp')->accessToken;`. – JacopoStanchi May 09 '18 at 13:28
1

No, the access token value is not stored anywhere. If you lose it, it's gone. You'll need to regenerate a new token.

The rememeber_token field is for the "Remember Me" functionality for normal web authentication. It is not related to Passport API authentication at all.

patricus
  • 59,488
  • 15
  • 143
  • 145
  • wondering how it works if the actual token is not saved anywhere in the db .. tried searching the system files but couldn't find anything – T.Adak Sep 27 '18 at 07:54