get password client from access token passport laravel

Question

i use passport in laravel and after user verification i want to generate a token for them with refresh token . for get refresh token i have to send curl request with password grant_type . after generate access token i want to get Password Grant Clientfrom database and pass it to my curl body . i fount this code snippet:

 $tokenId = (new Parser(new JoseEncoder()))->parse($token)->claims()->get('jti');
 $client = \Laravel\Passport\Token::find($tokenId)->client;

and the problem result of client variable is Personal Access Client not Password Grant Client and get this error because of its personal type:

{
    "error": "invalid_client",
    "error_description": "Client authentication failed",
    "message": "Client authentication failed"
}
    

this is my code:

$token = $user->createToken(Config::get('auth.guards.api.token_name'))->accessToken;
        $tokenId = (new Parser(new JoseEncoder()))->parse($token)->claims()->get('jti');
        $client = \Laravel\Passport\Token::find($tokenId)->client;

        $http = new \GuzzleHttp\Client();
        try {
            $response = $http->request('POST', url("/oauth/token"), [
                'form_params' => [
                    'grant_type' => 'password',
                    'client_id' => $oClient->id,
                    'client_secret' => $oClient->secret,
                    'username' => $username,
                    'password' => $password,
                    'scope' => '*',
                ],
            ]);
        } catch (\Exception $exception) {
        }

how can i deal with this?

Answer 1

For obtaining the client_id and client_secret for Password Grant Client you need to run the following command on your authorization server (OAuth server) as stated here https://laravel.com/docs/9.x/passport#creating-a-password-grant-client

php artisan passport:client --password

The above command is not necessary to run if you already ran passport:install. The easiest way is to check your oauth_clients table for the column password_client there should be a row that has this value set to 1 (enabled).

It seems from your question that you are trying to obtain the client_id and client_secret programmatically from your client. This is not the correct way of doing it. Basically after you run the above command to generate your client_id and client_secret you need to hard code them in your .env and use them in you CURL such as:

$response = Http::asForm()->post('http://passport-app.test/oauth/token', [
    'grant_type' => 'password',
    'client_id' => env('OAUTH_CLIENT_ID'),
    'client_secret' => env('OAUTH_CLIENT_SECRET'),
    'username' => $username,
    'password' => $password,
    'scope' => '*',
]);
 
return $response->json();

You can obtain your client_id and client_secret from the oauth_clients table. Just make sure to copy the values where the password_client column is set to 1.

There should not be any security concern if your client is storing these credentials in the backend and doing the CURL from the backend.

In the case you are trying to do this from a mobile app and you might not have a way to securely store the client_id and client_secret. In this case you should not be using the Password Grant Client flow but instead the Authorization Code Grant with PKCE: https://laravel.com/docs/9.x/passport#code-grant-pkce