Laravel development: How to implement API authentication using Laravel Passport and JWT?

Laravel Development: How to implement API authentication using Laravel Passport and JWT?

API (Application Programming Interface) authentication is a common requirement in today's Internet applications. As a popular PHP framework, Laravel provides two tools, Laravel Passport and JWT (JSON Web Tokens), which can help us implement API authentication.

This article will introduce how to use Laravel Passport and JWT to implement API authentication. In the following content, we will understand the basic concepts of these two tools and how to configure and use them in Laravel applications.

What is Laravel Passport?

Laravel Passport is an OAuth2 server specially developed for the Laravel framework, which can help us build API authentication systems quickly and securely. Passport provides a set of APIs to perform the authentication process, and has internally implemented a series of authentication methods specified by the OAuth2 protocol.

Among them, OAuth2 is a standard protocol that uses proxy authorization. Proxy authorization is an authorization mechanism for obtaining access to resources on behalf of a user. The OAuth2 protocol issues "access tokens" to third-party applications to access protected resources on behalf of the user. Therefore, Passport actually plays the role of OAuth2 authentication server in Laravel applications.

What is JWT?

JWT (JSON Web Tokens) is an open standard (RFC 7519) for authentication and authorization in distributed network environments. JWT is commonly used to pass authenticated user identity information and claims between clients and servers. JWT consists of three parts: header, payload and signature.

Usually, the header contains the type of JWT and the encryption algorithm used, the payload contains user identity information and claims, and the signature is used to verify the authenticity of the JWT. When using JWT for authentication, the server determines the user's identity by decrypting the information in the JWT, thereby achieving API authentication.

Configuring Laravel Passport and JWT

Before using Laravel Passport and JWT for API authentication, we need to configure it in the Laravel application first. The following are the specific configuration steps:

Step 1: Install Laravel Passport and tymon/jwt-auth

Use composer to install Laravel Passport and tymon/jwt-auth in the command line tool:

composer require laravel/passport
composer require tymon/jwt-auth

Step 2: Configure Laravel Passport

In the config/app.php file, add the following service provider:

'providers' => [
    ...
    LaravelPassportPassportServiceProvider::class,
],

Then, run the following command to create the Passport data table:

php artisan migrate

For Passport’s default authentication method “Password Grant”, we add “PassportHasApiTokens” (Passport’s default user authentication Trait) to the User model. Open the User.php file and add the following content:

use LaravelPassportHasApiTokens;

class User extends Authenticatable
{
    use HasApiTokens, Notifiable;
    ...
}

Step 3: Configure JWT

First, in the config/app.php file, add JWTServiceProvider:

'providers' => [
    ...
    TymonJWTAuthProvidersLaravelServiceProvider::class,
],

Then , run the following command to generate the secret key required for JWT:

php artisan jwt:secret

In the config/auth.php file, add the jwt guard configuration (use jwt as the guard guard option), and set the default authentication driver Set to "jwt":

'guards' => [
    ...
    'jwt' => [
        'driver' => 'jwt',
        'provider' => 'users'
    ],
],
...
'defaults' => [
    'guard' => 'jwt',
    ...
],

In the config/auth.php file, add the JWT user provider users configuration (instructing to use the Eloquent model):

'providers' => [
    ...
    'users' => [
        'driver' => 'eloquent',
        'model' => AppModelsUser::class
    ]
],

Use Laravel Passport and JWT API Authentication

After the preparation work is completed, we can happily implement API authentication using Laravel Passport and JWT. The following is the specific operation process:

Step 1: Register API routing

First, register the API routing in the routes/api.php file. For example, we define a GET route for obtaining user information:

Route::middleware('auth:api')->get('/user', function (Request $request) {
    return $request->user();
});

Laravel's middleware auth:api is used here, which will ensure that requests from authenticated users can pass. With routing middleware, we add this step of authentication to the route.

Step 2: Create an access token

Users need an access token to access the API. We need to use password authorization access token. The specific implementation steps are as follows:

You need to first define a route to receive the user name and password provided by the user:

Route::post('/login', function (Request $request) {
    $http = new GuzzleHttpClient;

    $response = $http->post('http://your-app.com/oauth/token', [
        'form_params' => [
            'grant_type' => 'password',
            'client_id' => 'client-id',
            'client_secret' => 'client-secret',
            'username' => $request->username,
            'password' => $request->password,
            'scope' => '',
        ],
    ]);

    return json_decode((string) $response->getBody(), true);
});

In the above code, we use GuzzleHttp The client sends a POST request to obtain the access token. Among them, grant_type must be "password", client_id and client_secret respectively correspond to the ID and Secret applied in Laravel Passport. After the request is successful, a JSON response will be returned containing the user's access token access_token to access the API.

Step 3: Initiate API request

We can use the obtained token access_token to send a request to the API, verify the user's identity, and obtain protected resources. When making a request to the API, you must add the Authorization key-value pair in the header, whose value is "Bearer access_token". For example:

$accessToken = 'your-access-token';
$response = $http->withHeaders([
    'Authorization' => 'Bearer ' . $accessToken
])->get('http://your-app.com/api/user');

If the request is successful, the API will return user information.

Conclusion

In Laravel applications, Laravel Passport provides a powerful OAuth2 authentication protocol and API authentication function, and JWT is a safe and convenient authentication method. In actual development, we can use Laravel Passport and JWT in combination to improve the security and reliability of the API and protect user data from being stolen or tampered with by malicious attackers.

The above is the detailed content of Laravel development: How to implement API authentication using Laravel Passport and JWT?. For more information, please follow other related articles on the PHP Chinese website!