It looks like you’re using the Resource Owner Password Credentials OAuth 2.0 flow e.g. submitting username/pass to get back both an access token and refresh token. The access token CAN be exposed in JavaScript, the risks of the access token being exposed somehow are mitigated by its short lifetime. The refresh token SHOULD NOT be … Read more
You can use findForPassport method in your user model. This method take username as argument, and return user model For example: class User extends Authenticatable { use HasApiTokens, Notifiable; // … some code public function findForPassport($username) { return $this->where(‘id’, $username)->first(); } }
OAauth2 framework docs : https://www.rfc-editor.org/rfc/rfc6749 (A) The client requests an access token by authenticating with the authorization server and presenting an authorization grant. (B) The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token and a refresh token. (C) The client makes a protected resource request to … Read more
Could it also be that by having this intermediate step prevents the client from seeing the access token? From O’Reilly book: Authorization code This grant type is most appropriate for server-side web applications. After the resource owner has authorized access to their data, they are redirected back to the web application with an authorization code … Read more
We have 3 main security concerns when creating an API. Authentication: An identify provider like Google is only a partial solution. Because you don’t want to prompt the user to login / confirm their identity for each API request, you must implement authentication for subsequent requests yourself. You must store, accessible to backend: A user’s … Read more
A JWT has readable content, as you can see for example on https://jwt.io/. Everyone can decode the token and read the information in it. The format is documented in RFC 7519. An opaque token on the other hand has a format that is not intended to be read by you. Only the issuer knows the … Read more
I had the same problem today and found the following solution: At first get all available providers GET /api/Account/ExternalLogins?returnUrl=%2F&generateState=true The response message is a list in json format [{“name”:”Facebook”, “url”:”/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A15359%2F&state=QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1″, “state”:”QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1″}] Now send a GET request to the url of the provider you want to use. You will be redirected to the login page of … Read more
In OAuth2, there are the following roles: Resource owner – usually some person Auth provider – the OAuth2 server Resource server – an API that requires an access token and validates its scopes Client application – application requesting an access token with some scopes. To understand OAuth2, it’s necessary to think about it as a … Read more
The client_id and client_secret, by default, should go in the Authorization header, not the form-urlencoded body. Concatenate your client_id and client_secret, with a colon between them: abc@gmail.com:12345678. Base 64 encode the result: YWJjQGdtYWlsLmNvbToxMjM0NTY3OA== Set the Authorization header: Authorization: Basic YWJjQGdtYWlsLmNvbToxMjM0NTY3OA==