Set up OAuth2 server using Laravel Passport

Laravel is one of my favorite frameworks, not because it is the best but it provides far better developer experience compared to any other frameworks. Laravel 5.3 comes with a handful of new features like Passport, Scout, Notifications, etc. that will make our life even easier.

Passport is a Laravel package which provides a complete OAuth2 implementation out of the box. It is built on top of OAuth2 server library by The League of Extraordinary Packages. If you have ever tried to set up an OAuth server, you know it’s not easy to get everything right. Now we can install Passport and with some configuration, our application will be OAuth2 ready.

Before we dive into the Passport, it’s important to understand a few concepts. Especially what is a Grant and the different types Grants in OAuth2.

When the client application wants to access a protected resource from the API server, it should present an access token to authenticate the request. Grant is nothing but a way of getting the access token from the authorization server. There are five types of Grants, four of them are for obtaining an access token whereas the other one is to refresh/renew an existing access token.

Authorization Code grant

Authorization Code grant is the most common flow, which is used when we want to allow third party application developers to access protected information from our application. The client application must obtain the user’s authorization to access the data.

Most of the popular APIs implements this grant. In the case of Facebook, when the user wants to login to our website, we tell the user to login in Facebook by redirecting them to Facebook. After login, Facebook asks the user if they want to authorize our application to access the user information on Facebook. Once approved, the user will be redirected back to our application along with an authorization code. Our application then uses this code to obtain an access token from Facebook, which can be used to get the user details. This process is called 3-Legged OAuth.

Implicit Grant

Implicit grant is similar to authorization code grant, except that the authorization server sends the access token instead of the authorization code. So this flow doesn’t need the third step to obtain the access token. You may wonder why would we need this when Authorization Code grant is better. Well, the Authorization Code grant requires a server side code to talk to the authorization server (Facebook) and exchange the code for the access token. If what we have is a JavaScript app that just live in the browser, it will be difficult to get the access token using Authorization Code flow. In those situations, we can use the Implicit grant.

Resource Owner Password Credentials Grant

This grant is suitable when dealing with the client that we trust, like a mobile app for our own website. In this case, the client sends the user’s login credentials to the authorization server and the server directly issues the access token.

Resource Owner == User

Client Credentials Grant

This grant is useful when the Client/App is the resource owner and no user interaction is required (machine to machine communication). For example, if the app wants to show a catalog to the user or store some data related to the app on the server.

Refresh token grant

When the server issues an access token, it also sets an expiry for the access token. Refresh token grant is used when we want to refresh the access token once it is expired. In this case, authorization server will send a refresh token while issuing the access token, which can be used to request a new access token. Note that this flow is not available when using Implicit Grant.

Passport supports all of the above grants except implicit grant.

This article is a shorter, step by step version of how to use Passport, which will help you to quickly set up the server without going into the details. For more details, please refer the documentation.

Setting up OAuth2 Server