Laravel Authentication Using Passport

Mastering Laravel Authentication with Passport: A Step-by-Step Guide

Authentication is a cornerstone of modern web applications. In Laravel, Passport provides a full OAuth2 server implementation, enabling API authentication seamlessly. This guide walks you through the entire process of setting up Laravel Passport, from installation to securing and testing your API.

---

Introduction

Why Use Laravel Passport?

Laravel Passport simplifies the complexities of OAuth2 authentication by integrating it tightly with Laravel's ecosystem. With Passport, you can:

• Authenticate API users securely.
• Generate personal access tokens for mobile and web clients.
• Manage token expiration and revocation easily.

---

Prerequisites

Before diving in, ensure you have:

1. A basic understanding of Laravel.
2. A Laravel project (v10.x or later is recommended) installed and configured with a database.
3. PHP 8.0 or later installed.

If you don’t have a project set up, create one with:

composer create-project --prefer-dist laravel/laravel passport-auth
cd passport-auth

---

Step 1: Install Laravel Passport

Install the Package

Run the following command to add Passport to your project:

composer require laravel/passport

Publish and Migrate Passport Files

Publish the Passport migrations and configuration files:

php artisan vendor:publish --tag=passport-migrations
php artisan migrate

---

Step 2: Configure Laravel Passport

Install Encryption Keys and Clients

Run the installation command:

php artisan passport:install

This generates encryption keys and creates OAuth clients in your database. Make note of the output, especially the client IDs and secrets.

Optional: Create a Personal Access Client

To create a personal access client explicitly, run:

php artisan passport:client --personal

---

Step 3: Update the Model

Add the HasApiTokens trait to your user model:

use Laravel\Passport\HasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;

    // Other properties...
}

---

Step 4: Update Auth Configuration

Configure Passport as the driver for API guards in config/auth.php:

'guards' => [
    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],

---

Step 5: Register Passport Routes

In AppProvidersAppServiceProvider, load Passport's routes:

use Laravel\Passport\Passport;

public function boot(): void
{
    Passport::routes();
    Passport::tokensExpireIn(now()->addDays(15));
    Passport::refreshTokensExpireIn(now()->addDays(30));
    Passport::personalAccessTokensExpireIn(now()->addMonths(6));
}

---

Step 6: Build Authentication API Endpoints

Add Routes

Define API routes in routes/api.php:

use App\Http\Controllers\AuthController;

Route::post('/register', [AuthController::class, 'register']);
Route::post('/login', [AuthController::class, 'login']);
Route::middleware('auth:api')->get('/user', [AuthController::class, 'user']);

Create the Authentication Controller

Implement authentication methods:

composer create-project --prefer-dist laravel/laravel passport-auth
cd passport-auth

---

Step 7: Set Permissions for Encryption Keys

Ensure secure access to Passport keys:

composer require laravel/passport

Verify permissions:

php artisan vendor:publish --tag=passport-migrations
php artisan migrate

Expected output:

php artisan passport:install

---

Step 8: Test the API

Use Postman or any API client to test endpoints:

1. Register: Send a POST request to /register with name, email, and password.
2. Login: Send a POST request to /login with email and password.
3. Get User Data: Send a GET request to /user with the token in the Authorization header.

---

Best Practices

• Use HTTPS in production.
• Rotate encryption keys periodically.
• Validate inputs thoroughly.
• Limit token scopes for better security.

---

Conclusion

Congratulations! You've successfully implemented API authentication using Laravel Passport. This setup provides a robust foundation for securing your API. Explore advanced Passport features like scopes, token revocation, and client credentials to further enhance your application's security.

---

The above is the detailed content of Laravel Authentication Using Passport. For more information, please follow other related articles on the PHP Chinese website!