Authorize SPA client using client credential grant token and personal access token - Laravel Passport


First I will put them in context.

I am developing a Rest API using laravel and as authorization method oauth2 using Laravel Passport implementation.

On the other hand I am developing a Javascript client (Single Page Application or SPA) that will consume the Rest API.

The situation is as follows:

Some endpoints of the Rest API should always be accessible by the client ( a valid client since the API is not published ) and other endpoints should only be accessible by the client when a user is logged in. .

In a first approach, what has been stated is that when the SPA is initially opened in the browser, obtain a token of type Client Credential Grant Token so that it is a valid client and can make requests to the "Basic" endpoints of the API. Later when a user loguee generates a Personal Access Token which will allow the client to make requests to all endpoints of the Rest API.

I am a bit confused as to how to put this into practice.

I hope, please, you can help me.

asked by jmardz 07.05.2018 в 23:07

1 answer


I do not understand the question. The way I would do it is with password grant tokens.

The application should have a client credentials grant token, which ensures that requests will only be made from the authorized client. With each request you must send the token, which you get from link .

Additionally, there will be an endpoint that generates your user's personal token in the same address, passing these parameters:

'form_params' => [
        'grant_type' => 'password',
        'client_id' => 'client-id',
        'client_secret' => 'el secret de tu cliente',
        'username' => '[email protected]',
        'password' => 'la-contraseña',
        'scope' => '*',

that a token returns, which you must send after each request of the logged in user.

answered by 23.05.2018 в 01:00