Laravel5.1 + OAuth2PasswordGrant (password authorization mode)

Laravel5.1 + OAuth2PasswordGrant (password authorization mode) Background description

This article is intended to build a general application backend service environment. account verification is one of the basic environments for applications.

Oau22. it provides a secure authentication environment. access_token is used as the token for accessing secure resources. as a single interaction between the application end and the backend, the password type is simpler, if you want to implement a third-party login platform mode similar to Google, Facebook, or Sina Weibo, select Authorisation code grant.

OAuth type references: https://github.com/lucadegasperi/oauth2-server-laravel/wiki/Choosing-a-Grant

The authorization method used in this article is "password", which must be used with refresh_token. after the access_token expires, use refresh_token to apply for a new access_token. you do not need to log on again to log on to the application, always effective.

If the refresh_token is invalid, you need to log on again. this applies to scenarios where the user has not used the application for a long time and needs to log on again for authorization. generally, the time can be set to one month.

Environment:

For details about Laravel 5.1 Installation, refer to the blog:

Oauth2-server-laravel: https://github.com/lucadegasperi/oauth2-server-laravel/wiki for oau22. customized for Laravel

For the installation and configuration of oauth2-server-laravel PasswordGrant, please refer to the official documentation, it is clear:

Installation configuration: https://github.com/lucadegasperi/oauth2-server-laravel/wiki/Laravel-5-Installation

Use: https://github.com/lucadegasperi/oauth2-server-laravel/wiki/Implementing-an-Authorization-Server-with-the-Password-Grant

Focus of this article:

The official website only describes how to configure and add code, but does not explain how to call it. This may block many Cainiao.

Ps: Here is a "hand error" in the official website documentation ":

'\ App \ PasswordVerifier @ verify' is changed to '\ App \ PasswordGrantVerifier @ verify', which is consistent with the subsequent class definitions.

Test data preparation

Before testing, you need an AppID and AppSecret, which are the same as those on a third-party platform to identify access to an application.

The operation is as follows: add an app to the oauth_clients table, for example:

Simulate HTTP request

Simulate the HTTP request process and map it directly.

Authorize access_token. Note that the client_id and client_secret in the parameter must be consistent with that in oath_clients.

After the access_token expires, use refresh_token to update and return the new access_token and refresh_token.