I'm trying to build a laravel app that uses an api to get and update info. Some API routes should only be accessible to logged in users.
I have implemented JWT so on login a token is generated for user and passed to javascipt. Also I removed expiring from the tokens to avoid a situation where user can see admin panel but token is expired and he can't do anything.
So now I have a problem when if a user logs out and logs back in, he gets a new token, but the old token is still usable. How can I delete JWT token for a given user?
Related
I am trying to understand how an auth in a spa context with a jwt token should be implemented based on a Register / Login / Logout process. I have been searching on the web and have implemented at laravel side tymon jwt but I am confused about next step regarding register form and login form.
Do I understand well that when my user register for the first time on my website, this is at this time that the JWT token should be generated and recorded in a cookie ? If yes, is it Vue or Laravel which should record the JWT token in a cookie ? I suppose Vue ?! If yes, in which manner?
Other question: what happen if the user clear the browser cache and eliminate the cookie containing the JWT form his computer ? Does he need to register again to get a a new token ?? I am totally confused about the process.
Getting a more detailed and step by step process would help.
Thanks
The rough sketch for a JWT authentication works like this:
Registration - (optional | If the user is not registered) User fills the registration form which is posted to the register route, User account is created and the api responds with 201 ( content created)
Login - User uses his credentials to login to the app. The credentials are verified and a JWT token is issued and sent back to the user.
Vue handles the JWT Token and stores the provided token into cookies ( you can use js-cookie to handle this, usually in Vuex state )
The token is used with every request sent forth to the server, server verifies the Token and then the request proceeds.
Logging out requests the server to invalidate the token and then removes the token from the cookies.
You can use laravel passport, Laravel Sanctum or tymon/Jwt for token management.
I've gotten Laravel 5.6 set up with Passport and working with the Implicit grant.
The only thing I don't understand is, every time I hit /oauth/authorize, a new access token is generated in the database. If there is no existing token, it will prompt the user to authorise the request and then create a new access token that expires in 1 year.
If a token already exists and is valid (e.g. user already authorised the request before), it logs the user in directly but also creates a new access token (leaving n+ tokens available instead of invalidating the previous tokens).
This means that my users will see duplicates in their 'authorised applications' screen, which doesn't look right.
Is this normal? Should I be doing something more when logging out instead of just deleting the token locally?
I have a question about laravel passport... I did the code and it is working very good, my question is about the token.
My friend has an mobile app which it will connect to my Laravel API... I already gave him a grant token my question is, do I have to give him a new token everytime that he wants to connect to the API? or just with that one is enough? one token and it works everytime?
I think that it works like this:
He wants to connect.
He passes the token to access to the API.
The API creates a response.
Am I correct?
For mobile application you should use password grant for Api protection. For password grant, the general concept is the API will give the app client the following parameters for accessing the auth client to get an access token and refresh token.
grant_type: password
client_id
client_secret
When the user login in the mobile application, the mobile app will use the above parameters and also the user's username and password to request a user specific access token, this token usually will be active for 60 minutes, after 60 minutes, the app client need to use the refresh token to get a new access token.
After getting the user access token, for the rest of your APP's api, the mobile client need to use this access token to access them.
For Laravel Passport, you can check out the password grant document here:
https://laravel.com/docs/5.4/passport#creating-a-password-grant-client
To understand more about what password grant is check out this link:
https://www.oauth.com/oauth2-servers/access-tokens/password-grant/
Note: From what I understand from your description, the grant type you are using is Client Credential Grant, this type is best for using system to system API authentication.
Does anyone know how to get the app access token to a One-Drive API app?
I've tried combining {appId}|{appSecret} as the access_token param and as the Authorization header but it doesn't seem to work.
Thanks,
The OneDrive API docs have a good section on getting auth tokens with OAuth. In a nutshell, there are two services involved -- the OneDrive API service and the authentication service. The OneDrive API only accepts OAuth tokens that were issued by the authentication service. The authentication service is what you talk to first to get an auth token.
Depending on your app, you can either use the token flow or the code flow to get an auth token. In the 'token' flow, you navigate the user's browser to the authentication endpoint with your appId. The user may need to log in, consent, etc., and then the authentication endpoint redirects back to your site with an auth token you can use. The 'code' flow is similar to the 'token' flow, except it redirects back with an authentication code that your client app can use (along with its client secret) to obtain an auth token and a refresh token. Once you have a refresh token, you can use that to obtain future auth tokens without the user's involvement (as long as they granted the wl.offline_access scope).
I'm using hybridauth library.
Hybridauth documentation says persistent sessions possible by storing the session data.
Lets say I stored users session data in my database. It contains oauth token, oauth refresh token etc..
Using oauth token, its possible to contact oauth server without asking user permissions.
Now everything fine so far. Now how exactly login the user automatically if the user logged into google?
I mean do I have to use any cookies?
I can't specifically help you on that library you are using, but have you looked at this? https://developers.google.com/accounts/docs/OAuth2Login
If you do an authorization for login as well, you'll get a token back and you can use that to get the userid of the user at Google
This field is only present if the https://www.googleapis.com/auth/userinfo.profile scope was present in the request for the access token. The value of this field is an immutable identifier for the logged-in user. Store this and you should have a durable identifier of the user.