![]() ![]() OAuth doesn’t actually prove the users identity, it just proves they have access to the API (authorization, not authentication). Or they would ask the user to login to the server and generate an API key and give it to the client. ![]() Social networks used to ask for your email login so they could access your contacts. You get redirected to google, login, then get redirected back to the site you were on initially.īefore OAuth the client would ask for the user’s username and password and then login to the server as if they were the user. When you use “login with Google” the site with the login button is the client and is the OAuth server. The client uses this token to interact with the server’s api on behalf of the user. They login, then they are redirected back to the client with an access token. Usually this is done by redirecting the user to the server. OAuth is a standard for delegating authorization, which in layman terms means letting an app (the client) access another app’s (the server’s) api. They each implement one half of the protocol. Yes, you would want to use both for your app. Hope this helps and feel free to inbox me if you need anything further! I'm open to sharing. I apologize if it's misinformative in any regard, and will correct any mistake I made in explaining this upon being informed of one. ![]() So I hope this comment helps you to any extent. I'm still learning about OAuth2 as well as Passport as I go, with relative success. It can be used outside API testing as well, and will make your life as a developer a lot easier. It makes testing your API endpoints very easy because you just put in the URL (like the one I used above for an example), enter any optional parameters (like a Bearer token in this case), and see how your app accepts it. One tip I can't stress enough is that if you don't already, start working with Postman. And it's all been an absolute joy to work with because everything is simple to understand and super easy to set up. I'm currently working on an Uber clone for Android and iOS, so you can imagine how much Passport I've consumed in recent days. Socialite implements these standards but applies them to the process of allowing users to register an account on your app through Google, Facebook etc. So Laravel Passport makes it pretty easy to use OAuth2 with a couple command lines. These are all very rigorous standards to uphold with vanilla PHP (or even Laravel) and your own wits. This access token asserts that whoever is sending that request, is allowed to receive a response. Imagine if there was no access token and anyone was allowed to send that request and find out which Uber driver is closest to those coordinates, at anytime. Along with that request, an access token is sent to confirm the requesting party is allowed to send/receive resources to and from the server. Once this so-called login process has taken place, and the third-party app has been issued its own access token, it can start sending requests to the server, such as a GET request of /api/location?lat=13&lng=15. The access token is always sent with every request, but the refresh token is not. Before this can happen, that app needs to 'log in'-much like a regular user with a keyboard would except it needs certain parameters beyond the usual username and password-granting it an access token and a refresh token that is used to re-issue the aforementioned access token once it expires. The way this happens is the initiating party (usually the third-party app) asks the server for permission to read an entry from a database or write one to it, such as updating a user's current geolocation. Your app should only grant a third-party app access to server resources (your database) if the request it sends you contains an access token. OAuth2 is an authorization* (courtesy of /u/_matta) protocol that allows a third-party app (such as the Uber Driver app, although in this example it isn't really a "third-party app" but you get the idea) to access a server-enabled/HTTP service (Uber servers in any country for example). Passport basically makes the OAuth2 protocol available at your fingertips without actually implementing its specifications. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |