How to add custom claims to laravel-passport Access token?

Question

i just used laravel-passport,it is same as jwt auth.

i want to add some custom claims to my accessToken, is it possible ??

i want to pass 2fa_status => true in access token and while API call with this access token i also want that claim from token.

For e.g (Expected Claims Of Token)

{
  "aud": "7",
  "jti": "123",
  "iat": 1568368682,
  "nbf": 1568368682,
  "exp": 1599991082,
  "sub": "2",
  "scopes": [],
  "2fa_status": false
}

I'm generating token as below:

  $tokenResult = $user->createToken('Personal Access Token');

e.g in token i want to pass that it is token of member or user. i have two separate guards. Thanks — Vishal Ribdiya, Sep 14 '19 at 07:53

score 1 · Answer 1 · answered Oct 01 '19 at 02:52

Think something you can do is very similar to an answer of the this question: Customising token response Laravel Passport

While in your own BearerTokenResponse class, override generateHttpResponse method, inside it you can add whatever to the access token before convert it to JWT:

    public function generateHttpResponse(ResponseInterface $response)
    {
        $expireDateTime = $this->accessToken->getExpiryDateTime()->getTimestamp();

        // add custom claims here, ie. $this->accessToken->withClaim('name', 'value');

        $jwtAccessToken = $this->accessToken->convertToJWT($this->privateKey);

        ...

score 0 · Answer 2 · answered Nov 27 '19 at 04:46

I'm in a similar situation but I used password grant client to issue token to user during authentication and I need to used the personal access token for user to generate an access token for their self to be used in their 3rd party applications. You can do a workaround by updating the scope.I also need to verify the user if the 2fa has been pass.

in your

AuthServiceProvider.php

    public function boot()
    {
        $this->registerPolicies();

        Passport::routes(function ($router) {
            $router->forAccessTokens();
            $router->forPersonalAccessTokens();
            $router->forTransientTokens(); // register the transient token. skip if all routes are enabled
        });

        // Add scope to verify the user
        // take note that here 2 scope for this due to refresh token scope
        Passport::tokensCan([
            '2fa-pass' => '2FA Pass',
            '2fa-not-pass' => '2FA Pass',
        ]);
    }

next step is in your Authentication process where you send the password grant type

  // I'm using route::dispatch to do a proxy request
  // you can use Guzzle if you want
  $request->request->add([
    'grant_type' => 'password',
    'client_id' => 'client-id',
     client_secret' => 'client-secret',
    'username' => $credentials['email'],
    'password' => $credentials['password'],
    'scope' => '2fa-not-pass 2fa-pass' // take note that I added the two scope here
  ]);

  $tokenRequest = Request::create('/oauth/token', 'POST');

  $response = \Route::dispatch($tokenRequest);

then in your 2FA Verification process


   // your process of verifying the 2FA code

   // after that you need to update the scope by doing a refresh token
   $request->request->add([
     'grant_type' => 'refresh_token',
     'refresh_token' => $request->input('refresh_token'),
     'client_id' => 'client-id',
     'client_secret' => 'client-secret',
     'scope' => '2fa-pass' // I removed the 2fa-not-pass in refreshing the token
    ]);

  $tokenRequest = Request::create('/oauth/token', 'POST');

  $response = \Route::dispatch($tokenRequest);

Take note about the scopes, when you refresh the token, you can only obtain identical or narrower scopes than the original access token. If you attempt to get a scope that was not provided by the original access token, you will get an error. - patricus

answer here: https://stackoverflow.com/a/45856634/11537130

take note that this will be generate a new token with new scope

sid heart · Answer 3 · 2019-09-14T08:20:32.150

-1

it is possible

add this to AuthServiceProvider

Passport::routes();
Passport::personalAccessClientId(1); //<-- this 1 is id of your personal key
Passport::tokensExpireIn(now()->addDays(15));
Passport::refreshTokensExpireIn(now()->addDays(30));

now your can create new token like this

$user->createToken('email')->accessToken; // you can change email to any for remember why this code generated like social facebook

according to documents for add more params try this

$user->createToken('email', ['extra' => 'params'])->accessToken;

hope this helps

edited Sep 14 '19 at 08:20

answered Sep 14 '19 at 06:32

sid heart

1,140
1
9
38

Thanks, but I don;t want to create new token i already have a token generated, i want to add some custom proprieties into it. – Vishal Ribdiya Sep 14 '19 at 07:51
@VishalRibdiya check i added `$user->createToken('email', ['extra' => 'params'])->accessToken;` on my answer – sid heart Sep 14 '19 at 08:20
i think there is some communication gap, i have updated my question please check it again and let me know if you can help. Thanks – Vishal Ribdiya Sep 14 '19 at 10:47
`$user->createToken('email', ['extra' => 'params'])` this will not work because second param is SCOPES not extra param. – Vishal Ribdiya Sep 14 '19 at 10:48
IT WILL RETURN ERROR `The requested scope is invalid, unknown, or malformed` – Vishal Ribdiya Sep 14 '19 at 10:51
i think you are doing wrong this handle by backend like laravel check if `2fa_status` false than `return response()->json(['token' => $userToken, '2fa_status' => $2fa_status]);` – sid heart Sep 14 '19 at 10:58
it is just an example, i need to pass claim with `[key => value]`, as we doing into JWT. – Vishal Ribdiya Sep 14 '19 at 11:48

How to add custom claims to laravel-passport Access token?

3 Answers3

Linked