I try to authorize my 1st party mobile app to access my api (without username/pass). so what i did is (coorect me if i'm wrong): from my mobile app: I request token with grant_type: client_credentials:
POST: http://my.url/api/oauth/token
{
"grant_type": "client_credentials",
"client_id": 8,
"client_secret": "XXNKXXqJjfzG8XXSvXX1Q4pxxnkXmp8tT8TXXKXX",
"redirect_uri": "",
"scope": "*"
}
Then i got response:
{
"token_type": "Bearer",
"expires_in": 31536000,
"access_token": "someverylongrandomtokentext.anotherRandomcharacterhere"
}
then in the future, my mobile app will use below to consume my API:
Authorization: Bearer someverylongrandomtokentext.anotherRandomcharacterhere
Accept:application/json
Content-Type:application/json
passport has: Route::group(['middleware' => 'auth:api'], function() { to protect API, but that API based on my understanding will validate with username and password (which in my case, i dont have). so it's look like i have to build my own custom middleware to protect my route based on bearer token.
questions:
- how do i validate bearer token given?
- i realize that the token has expire date, then where is the refresh token?
*just a background if you wondering why no username/pass: because this is the first step of my mobile app access my API, so i need to ensure that this is really my app, then afterwards, I will use social login to get the user.
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire