What is Passport in Laravel? [closed]

Question

I am a starter of web services. I have to make APIs using Laravel for mobile application. In the Laravel documentation, I have got API Authentication (Passport). I am trying to understand that but not clear.

Can anyone tell me about it in details?

Thanks in advance

Answer 1

Well, here it is:

The documentation you shared has a pretty good introduction if you go to the introduction tab. I think you know what a RESTfull API right? If you don't here. So since the REST APIs don't use sessions (in PHP, you know this), all API calls will be stateless (session less), so you will need an authentication mechanism to verify the client. So that's where this Authentication method comes in. This OAuth service is designed specifically to resolve this issue when dealing with REST stateless sessions.

Suppose you have heard of tokens. When a user registers and logs in later, the system will check the user's login details with the database at the time of the login. The system will generate a token if the user authenticates (username and password matched). This token is somewhat like a session, but the cool part is this it rests on a client machine. So this is somewhat like session details that stay on the client side. At a REST request, the token will pass along with the header.

**

now generating mechanism of token

**

You might be wondering how this must be a piece of cake to hack then. No, it's not, Because now, let's say you have a client-side token including this data.

{
   username:"JhonSnow",
   email:"[email protected]",
   type:"user"
} 

Now firstly, this token is encrypted using base64url encoding. Ok, now this can be revered using the base64 decoder. But the excellent part is even if the attacker can gain this information from the token, he will not be able to escalate the application privileged like this.

type:"user"

to

`type:"admin"

` Because this session-like token's integrity can be checked using the server-side authentication mechanism provided by 0-auth, this is commonly used and very popular in web development. Now I mentioned how the token is structured in detail; it's a little complicated. it's more like this

header:{
  "alg": "HS256",
  "typ": "JWT"
},
payload:{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Now using these details will generate the token like the following.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.he0ErCNloe4J7Id0Ry2SEDg09lKkZkfsRiGsdX_vgEg

If you look closely, you can see three parts separated by 2 " . "(period) in this token to differentiate the header, payload, and signature. The last part is the one the server will check with the server's secret or known as the signature, to validate whether this token is a valid token or not.

Answer 2

In today API is also known as Web services. Web services very important when you are creating web and mobile app developing. You require to create API for your mobile application developer. As we know laravel is more popular because of creating API. But if you are a starter and you don’t know what is API and web services, then you are the right place.

What is Passport?

APIs typically use tokens to authenticate users and do not maintain session state between requests. Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes.

More information here

https://mattstauffer.com/blog/introducing-laravel-passport/

http://esbenp.github.io/2017/03/19/modern-rest-api-laravel-part-4/

Answer 3

API is also known as Web services.

Install the basic authentication system integrated in Laravel and Laravel Passport:

composer require laravel/passport
php artisan make:auth
php artisan passport:install
php artisan migrate

Add the Laravel\Passport\HasApiTokens trait to our App\User model and the Passport::routesmethod within the boot method of our app/AuthServiceProvider like that:

public function boot() {
    $this->registerPolicies();
    Passport::routes();
}

And finally set the driver option of the api authentication guard to passport like that:

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],

now test that everything is ok with Postman (you can use any other tool to simulate http requests).

The register route returns a token (because it automatically logs you) but we will regenerate it with the login route to check that works well.

In this way you can use Laravel Passport in your web application