Laravel Passport Deep Dive: Build OAuth2 APIs Like a Silicon Valley Pro

OAuth2 can feel like a maze of flows, tokens, and jargon. Laravel Passport simplifies it all—giving you a full OAuth2 server implementation with elegant Laravel syntax. Whether you’re building a mobile API, a multi-tenant SaaS, or a secure SPA, Passport has you covered.

Let’s break it down.

🧠 What Is Laravel Passport?

Laravel Passport is an official Laravel package that provides a complete OAuth2 server implementation. It’s built on top of the League OAuth2 server and integrates seamlessly with Laravel’s authentication system.

Key features:

  • Full OAuth2 support (Authorization Code, Password, Client Credentials, Personal Access Tokens)
  • Token scopes and expiration
  • Middleware-based route protection
  • Easy integration with Laravel’s user model

🛠️ Installation & Setup

composer require laravel/passport
php artisan migrate
php artisan passport:install

This generates encryption keys and creates the necessary tables for clients and tokens.

In AuthServiceProvider:

use Laravel\Passport\Passport;

public function boot()
{
    Passport::routes();
}

In config/auth.php, set the driver to passport:

'guards' => [
    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],

🔑 Grant Types Explained

1. Authorization Code Grant (with PKCE)

Best for SPAs and mobile apps. Secure and recommended.

php artisan passport:client --public

Use the client ID in your frontend to request tokens.

2. Password Grant

Used when the app collects user credentials directly (e.g., mobile apps).

php artisan passport:client --password

Then request a token via:

POST /oauth/token
{
  grant_type: "password",
  client_id: "...",
  client_secret: "...",
  username: "...",
  password: "...",
  scope: ""
}

3. Client Credentials Grant

Used for machine-to-machine communication. No user context.

php artisan passport:client --client

4. Personal Access Tokens

Great for developer APIs or admin dashboards.

$user->createToken('MyApp')->accessToken;

🧩 Protecting Routes with Middleware

Route::middleware('auth:api')->get('/user', function (Request $request) {
    return $request->user();
});

Use scopes for fine-grained access:

Route::middleware(['auth:api', 'scopes:read-posts'])->get('/posts', ...);

🔐 Token Management

  • Expiration: Customize with Passport::tokensExpireIn(now()->addDays(15));
  • Revocation: Use POST /oauth/revoke
  • Refresh Tokens: Supported via grant_type: refresh_token

🧪 Testing OAuth2 Flows

Use Laravel’s HTTP client or tools like Postman to simulate token requests and protected endpoints. For SPAs, integrate with Axios or fetch and attach the bearer token.

🧠 Passport vs Sanctum

  • Passport: Full OAuth2, ideal for third-party apps, mobile clients, and multi-tenant APIs
  • Sanctum: Simpler token-based auth, ideal for SPAs and first-party apps

Use Passport when you need OAuth2 grants, scopes, and external client support.

✅ Final Thoughts

Laravel Passport turns OAuth2 complexity into Laravel simplicity. With proper grant selection, token management, and route protection, you can build secure APIs that scale across platforms.

Leave a Reply

Your email address will not be published. Required fields are marked *