Laravel 5.1 + OAuth2 passwordgrant (password authorization mode)

Background Brief

This paper intends to build a general application backend service environment, and account verification is one of the basic environment of application.

OAUTH2 provides a secure authentication environment to Access_token as a token of access to secure resources, as a single application and backend interaction, the use of password type will be more concise, if you want to achieve similar to Google, For Facebook or Sina Weibo's third-party login platform mode, please select Authorisation code grant.

OAuth type reference Description: Https://github.com/lucadegasperi/oauth2-server-laravel/wiki/Choosing-a-Grant

This article chooses the OAuth2 authorization Way is: password, needs to use with Refresh_token, after Access_token expires, uses the Refresh_token to apply for the new Access_token, does not need to log on again, achieves the application side to log in once , has been effective in effect.

If the refresh_token fails, it requires the user to log back in, which corresponds to the user has not used the application for a long time, need to let users re-login authorization of the scene. The general time can be set to one months, according to the actual needs of the setup.

Environment:

Laravel 5.1 Installation Please refer to the blog post:

Designed for Laravel Custom OAUTH2 implementations Oauth2-server-laravel:https://github.com/lucadegasperi/oauth2-server-laravel/wiki

Oauth2-server-laravel passwordgrant Installation and configuration please refer to the official website documentation, it is clear:

Installation configuration: Https://github.com/lucadegasperi/oauth2-server-laravel/wiki/Laravel-5-Installation

Use: https://github.com/lucadegasperi/oauth2-server-laravel/wiki/ Implementing-an-authorization-server-with-the-password-grant

This article focuses on:

The official website only describes how to configure and add the use code, but does not describe how to call, which may stop a lot of rookie.

PS: Here correct a "hand mistake" of the official website document:

' \app\passwordverifier@verify ' is changed to ' \app\passwordgrantverifier@verify ' and is consistent with the class definition that follows

Test data preparation

Before testing, you need to have a appid and Appsecret, like a third-party platform, to be able to identify access to an application

Here's how to do this: Add an app message to the Oauth_clients table, such as:

Simulating HTTP requests

Here to simulate the process of HTTP requests, direct mapping, we understand

Authorization to obtain Access_token, note the parameters of client_id and Client_secret need to be consistent with the oath_clients.

After the access_token expires, update with Refresh_token to return to the new Access_token and Refresh_token

