1

I am currently developing an API that I plan to secure using oauth2.

I have chosen: https://github.com/lucadegasperi/oauth2-server-laravel/

I have managed to secure the endpoint (using before=>oauth in my api routes) by following the installation guide but I am at a loss as to how am I gonna be able to authenticate and access the endpoint.

I do understand that you will first need to request an access_token by sending a client_id and client_secret but what I don't get is where do I set those on the oauth server?

I see the oauth controller has endpoints for these like:

http://somedomain.com/oauth/authorize

http://somedomain.com/oauth/access_token

But I am clueless with what to do with them. I only managed to arrive at the conclusion that it needs a client_id, client_secret, and stuff about scopes.

Where can I set these values for the api client to use?

Thank you for your help in advance.

Improve this question

1 Answer 1

Reset to default
3

I don't know Laravel, but in general, the authorization endpoint (in your case, http://somedomain.com/oauth/authorize) behaves as described in RFC 6749.

The specification defines four flows. If you use Authorization Code Flow among the flows, you should access the authorization endpoint with the following request parameters.

  1. response_type=code (required)
  2. client_id={your-client-id} (required)
  3. scope={space-delimited-scope-names} (optional)
  4. redirect_uri={your-redirect-uri} (conditionally optional)
  5. state={any-arbitrary-string} (optional)

For example,

http://somedomain.com/oauth/authorize?response_type=code&client_id=your-client-id&scope=profile+email

The authorization endpoint generates an authorization code and returns it to your browser.

The next step is to access the token endpoint (in your case, http://somedomain.com/oauth/access_token) with the authorization code which has been issued from the authorization endpoint. Like this,

POST
http://somedomain.com/oauth/access_token?grant_type=authorization_code&code=issued-authorization-code&client_id=your-client-id&client_secret=your-client-secret

Anyway, I recommend you read RFC 6749.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

yes i understand the needed parameters. but like i've said, i don't know where to get {your-client-id}, where do i set that? do i insert it manually on the database and tell it to the client?
I think Laravel has (and should have) a function to issue and manage client IDs. Managing client applications is, although it is not mentioned in RFC 6749, one function that an OAuth server is expected to implement. If you had to insert a client ID into the database manually, it would mean that Laravel is missing an important feature. For example, Authlete (authlete.com) which is an implementation of OAuth 2.0/OpenID Connect as BaaS provides API set to manage client applications (authlete.com/authlete_web_apis_client.html). Laravel should have an equivalent.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.