Passport: Authorize Request each time ?

Duplicate of https://github.com/laravel/passport/issues/16

Hi guys,

I'm not really good at making PRs or something but I could trace down the code where we would need to insert something, maybe its useful and somebody can make it nicer.

File: /src/Http/Controllers/AuthorizationController.php

`
public function authorize(ServerRequestInterface $psrRequest,
Request $request,
ClientRepository $clients)
{
return $this->withErrorHandling(function () use ($psrRequest, $request, $clients) {
$request->session()->put(
'authRequest', $authRequest = $this->server->validateAuthorizationRequest($psrRequest)
);

        \DB::enableQueryLog();
        if($authorized = Token::where('user_id', $request->user()->id)->where('client_id', $authRequest->getClient()->getIdentifier())->first()) {
            dd('authorized');
        } else {
            dd(\DB::getQueryLog());
        }

        $scopes = $this->parseScopes($authRequest);

        return $this->response->view('passport::authorize', [
            'client' => $clients->find($authRequest->getClient()->getIdentifier()),
            'user' => $request->user(),
            'scopes' => $scopes,
            'request' => $request,
        ]);
    });

`

@taylorotwell can you take a look at this ?

I'm stuck with same thing. The users have to authorize the app all the time...

The authorize method in /vendor/laravel/passport/src/Http/Controllers/AuthorizationController.php should check if the current user already have authorized before sending to the authorize view... Yes?

Ping @taylorotwell

@geodeveloper @danieljwestman Not really, essentially the client requests a new authorisation. New authorisations should be verified because the scopes could change.
To prevent this behaviour the client should store the access_token and refresh_token. This way you only need to reauthorise when the token has expired.

Using the refresh_token you could extend the lifetime/replace of the access_token. By default passport issues long lived access_tokens removing the direct need to keep refreshing the token. Refer to Token lifetimes for more information.

Some implementations notify the user the authorisation hasn't changed, for example Facebook does this. They also notify the user when the APP starts requesting more information since the last authorisation. But they keep informing the user they are sharing information with a third party client.

Long story short, I don't think Passport is missing something to support the basics of OAuth2. Not asking the user to authorise again should be handled in the application if you would ask me.

@kevindierkx that makes sense and totally agree that we can use the acces_token for further requests or refresh_token to renew the access_token. But some oAuth providers like Twitter (oAuth1) or Google (oAuth2) doesn't ask each time a client requests authorization, so I end up that this is feature of provider choice. In that case, it would be a nice to have this feature and be configured with enabled/disabled.

Anyways, you are right that this is not a requirement of oAuth basics but it would be a plus.

Thanks for your reply 😉 .

Can we use the original issue please?

I'm gonna close this issue as per @jbrooksuk request since this is a duplicated issue of #16.

Hi @kevindierkx , back to this issue, I think we still have a problem. What if my app it's depending on oAuth server to authenticate users (like "Login with Passport") ? I couldn't use the access_token since the user is guest. Then I would have to redirect users to the oAuth server (and they asked each time to approve/deny the request).

@geodeveloper Correct, at that point the client lost it's authorization and is forced to request a new one. It's up to the application to register previous authorizations or use previous authorizations to compare the authorization request and display the authorization form.

For example Facebook displays a message telling the user they just authenticated with a 'known' app. The message is altered when the client requests different 'authorizations' (ie. scopes) since last time and therefore the user needs to re-authorize the client. This is done to prevent applications 'secretly' changing their access rights to the users profile information.

In your use case you could skip the whole 'hey you authenticated with a known app' part and just redirect with an authorization_code.

@kevindierkx , right but this means I need to override the passport functionality, the idea is to have this feature implemented in Laravel Passport, which I think it could be useful on such scenarios. And this could be configured from config file to enable/disable this feature.

Thanks for your reply.

Was the feature implemented? How can I auth user to my app (no user table) with passport auth2 server? Any further information on this will be helpful.

Edit

Anyone who stumbled upon this page, use this code for this feature https://paste.laravel.io/6LN6q