I’m building a first-party SPA with VueJS which make requests to a Laravel back-end. The application includes user registration and login, so I’m trying to use OAuth with Passport using Password Grant Tokens to authenticate users.
Here’s my current login flow :
the user enters his email/password on the SPA’s login form
a POST request is sent to a /api/login route I created. This route calls a Laravel Controller I also created which sends a POST request (with Guzzle) to /oauth/token with my client_id and client_secret to get an access token. If the user is recognized, the route returns the access_token to the SPA.
The authenticated user can make calls to my protected API routes from the SPA, it works. Each request sends the access_token in a "Bearer …" Authorization header.
But I have a few questions because this whole OAuth thing remains a little blurry to me…
First, is the previous workflow correct and safe ?
I’m not using the LoginController included in Laravel. So when the user logs in through my flow, he gets an access token and is able to access API routes by the auth:api middleware but he is not authenticated like he would be in a standard Laravel web application (when I test Auth::check(), I get 'false’). Is that OK ? Or Should I also log the recognized user in through the standard auth in the same time as generating an access_token ?
For now, I’m not using refresh_tokens at all… I don’t see what is the correct way to deal with that in my case. Do I have to pass the refresh_token to my SPA along with the access_token and do something with it ? For now I kept the long-lived config for my tokens provided by default and the Laravel doc says that they "never need to be refreshed"…
Why access_tokens and refresh_tokens are marked as "revoked" in the database and not just deleted ? If they’re not deleted, the tables may be very large after some time and if the app has many users. Do I need to setup some maintenance tasks to delete expired or revoked tokens ?
Last question : I installed in my SPA the Passport Vue components provided by Laravel, just to see if this can be useful to me. They send requests to these routes : /oauth/clients, /oauth/tokens, /oauth/personal-access-tokens and /oauth/scopes. But all are returning 401 errors (Unauthorized). The access_token is nevertheless in each request header. Why do these requests fail whereas my custom API requests work fine ?
I hope I will get clear answers and that it will help anyone who is trying to understand Passport !
Thank you !