在有限的生命周期内使用 Passport 发行访问令牌
Issuing Access Tokens with Passport in limited lifetime
后端:Laravelapi。
前端:Angular。
在 Laravel 上设置 Passport 包后,我使用常规方式对用户进行身份验证,然后以这种方式颁发令牌:
$newToken = $user->createToken('myapp')->accessToken;
这工作正常,但问题是令牌生命周期为 1 年,因为它认为 Personal Access Tokens 并且如文档所述:
Personal access tokens are always long-lived. Their lifetime is not
modified when using the tokensExpireIn or refreshTokensExpireIn
methods.
我的问题是如何在我的应用程序中为我的用户颁发有限生命周期的令牌?
另一方面,暴露 client_secred
和 client_id
似乎很危险,所以我不能打电话oauth/token
来自我的 angular 应用
我确定这不是最好的解决方案,但这是我想到的,非常感谢 回答:
首先在您的身份验证控制器中添加这个受保护的方法。
protected function oauthLogin(Request $request)
{
$client = DB::table('oauth_clients')
->where('password_client', true)
->first();
$request->request->add([
"grant_type" => "password",
"username" => $request->email,
"password" => $request->password,
"client_id" => $client->id,
"client_secret" => $client->secret,
]);
$tokenRequest = $request->create(
env('APP_URL') . '/oauth/token',
'post'
);
$instance = Route::dispatch($tokenRequest);
return json_decode($instance->getContent());
}
然后只有在验证用户后才调用登录方法中的方法:
public function login(Request $request)
{
$credentials = $request->only('email', 'password');
try {
// verify the credentials and create a token for the user
if ($token = Auth::guard('web')->attempt($credentials)) {
$user = Auth::guard('web')->user();
$roles = $user->roles()->get()->pluck('name');
$accessToken = $this->oauthLogin($request)->access_token; // instead of $user->createToken('token')->accessToken,
return response()->json([
'token' => $accessToken,
'roles' => $roles,
'email' => $request->input('email')
]);
} else {
return response()->json(['error' => 'invalid_credentials'], 401);
}
} catch (Exception $e) {
// something went wrong
return response()->json(['error' => 'could_not_create_token'], 500);
}
}
这种方式发行的token仅限于你在AuthServiceProvider.php中设置的时间:
public function boot()
{
$this->registerPolicies();
//
Passport::routes();
Passport::tokensExpireIn(now()->addHour(1));
Passport::refreshTokensExpireIn(now()->addHour(1));
}
后端:Laravelapi。 前端:Angular。
在 Laravel 上设置 Passport 包后,我使用常规方式对用户进行身份验证,然后以这种方式颁发令牌:
$newToken = $user->createToken('myapp')->accessToken;
这工作正常,但问题是令牌生命周期为 1 年,因为它认为 Personal Access Tokens 并且如文档所述:
Personal access tokens are always long-lived. Their lifetime is not modified when using the tokensExpireIn or refreshTokensExpireIn methods.
我的问题是如何在我的应用程序中为我的用户颁发有限生命周期的令牌?
另一方面,暴露 client_secred
和 client_id
似乎很危险,所以我不能打电话oauth/token
来自我的 angular 应用
我确定这不是最好的解决方案,但这是我想到的,非常感谢
首先在您的身份验证控制器中添加这个受保护的方法。
protected function oauthLogin(Request $request)
{
$client = DB::table('oauth_clients')
->where('password_client', true)
->first();
$request->request->add([
"grant_type" => "password",
"username" => $request->email,
"password" => $request->password,
"client_id" => $client->id,
"client_secret" => $client->secret,
]);
$tokenRequest = $request->create(
env('APP_URL') . '/oauth/token',
'post'
);
$instance = Route::dispatch($tokenRequest);
return json_decode($instance->getContent());
}
然后只有在验证用户后才调用登录方法中的方法:
public function login(Request $request)
{
$credentials = $request->only('email', 'password');
try {
// verify the credentials and create a token for the user
if ($token = Auth::guard('web')->attempt($credentials)) {
$user = Auth::guard('web')->user();
$roles = $user->roles()->get()->pluck('name');
$accessToken = $this->oauthLogin($request)->access_token; // instead of $user->createToken('token')->accessToken,
return response()->json([
'token' => $accessToken,
'roles' => $roles,
'email' => $request->input('email')
]);
} else {
return response()->json(['error' => 'invalid_credentials'], 401);
}
} catch (Exception $e) {
// something went wrong
return response()->json(['error' => 'could_not_create_token'], 500);
}
}
这种方式发行的token仅限于你在AuthServiceProvider.php中设置的时间:
public function boot()
{
$this->registerPolicies();
//
Passport::routes();
Passport::tokensExpireIn(now()->addHour(1));
Passport::refreshTokensExpireIn(now()->addHour(1));
}