How can I use Laravel Sanctum in a distributed system? - laravel

I need to use Laravel Sanctum in a distributed system, for this case, I have 3 participants:
The user
The API server
The authentication server
The authentication server is only for generate and validate tokens, the API must make the authentication by calling to the authentication server and sending the token in the authorization header of the request. This token it's sent by the user when calling the API (the user had to make a request for a token to the authentication server before)
I want to use Laravel 8 in the API server and also, I want to use Laravel 8 in the authentication server, I know that I can use Laravel Sanctum to handle the API authentication, but it has to be in the same server that the API is in, the middleware auth:sanctum works by searching the token in the same database that the API is in, but now I need that the middleware search the token in the authentication server who has another Laravel with another database, how can I do that? Do I need to do it manually?

Related

Laravel API Based Validation / Auth

I am currently using a API to validate Login Credentials.
I have gotten to the point where I am sending username/password correctly.
This API will return a bolean, depending on if those credentials are correct.
Along with the entire user's information, including their address etc.
How can I correctly store this into Laravel Auth, so I can use Auth::user etc in blade?
I do NOT have Database access, only API access to validate user login details.
I cannot create a local - Laravel database, as this application has to be completely API based.
I am using Guzzle to query the API.
You should try using JWT for authentication, implementing your own API Authentication can cause some security issues if not done right.
Also JWT for Laravel already has support for Laravels Authentication system

Generate api token for users in database laravel

I have a database of users that work with web login based on laravel sessions. Now I want to generate an api token for each of these users for an api login, how can I generate it? I have already migrated to the database for this new column but I need each user to have their api token.
I'd recomment you to use Laravel Passport. APIs typically use tokens to authenticate users and do not maintain session state between requests. Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes.
If You need session mechanism then You should use Laravel Passport.
But if You are building traditonal stateless REST Api then you can use API Authentication

How to Validate Auth Token from Request Header

I have 2 servers. 1st is SAP Hybris. 2nd is Middleware server.
Middleware Server will receive API call from Hybris and then it will execute and process the request.
Now I want to make this API Call secure with OAuth 2.0 such that any server having valid token can only call middleware server through API.
I have created user in "OAuth Client" in Hybris.When any request come with access token,I need to validate whether the token is valid or not.
Can anyone guide me in configuring this OAuth mechanisam in Middleware (Spring Boot)?
Note: The OAuth token is generated by Hybris.
You need to create client tokens from middleware, not hybris. If you will call hybris API, your middleware need hybris OAuth client tokens.

Password Grant access token generation

I'm using Laravel Passport password grant type to enable my mobile clients(Android, iOS ...) to generate an access token. My mobile clients cannot use oauth/token route to get access and refresh tokens themselves, because it uses web middleware (as I understand). My questions is,
Should I make request to oauth/token myself in server by passing data mobile clients posted? If I do this how do I bypass web middleware. (Manually creating a dummy user and using it to bypass web middleware is not that I want and weird solution)
In my particular case I always this by removing \Illuminate\Session\Middleware\AuthenticateSession::class from the web middlewareGroup on app/Kernel.php.
I'm also using laravel-cors to allow Cross-Origin Resource Sharing headers. My apps are API only and the clients are external (both mobile and web clients are external) and they all authenticate and renew tokens themselves interacting with the Passport routes.

Laravel API Auth with Passport and React

I have a Laravel 5.5 Application that's using the session based auth out of the box. On some of these pages I have react components that need to get/post data from/to an API.
What is the best practice for handling this? Do I simply hide the API endpoints behind the auth? This would work but should I be using Laravel Passport for this instead?
I've had a play with Passport and it seems that this would work but I don't need users to be able to create clients and grant 3rd party applications permission etc. There is just the first party react app consuming the data from inside the laravel application (view).
From my initial experimenting with it, it seems I'd need to have the login call made first to receive an access token to then make further calls. As the user will already be authenticated in the session is there an easier way?
I'm not sure if Passport is intended to be used for this purpose or not. I'd rather take the time to get it right now as I'd like to get the foundations right now if the app scales.
You can proxy authentication with Passport. Using the password grant type users would still log in with their username/password, then behind the scenes make an internal request to Passport to obtain an access token.
Restrict what routes are available when registering in a service provider by passing in:
Passport::routes(function ($router) {
$router->forAccessTokens();
$router->forTransientTokens();
});
That limits access to personal tokens and refresh tokens only. A client will be created when you run php artisan passport:install.
Setup a middleware to merge the password grant client id and secret in with the request, then make a call to the authorization endpoint. Then it's just a matter of returning the encrypted token and observing the Authorization header for requests to your api.

Resources