Passport: Key generation for Heroku deployments

I have the exact same error. The keys are well into the storage/ folder.

Did you find a solution to this problem ?

Thank you !

You have two choices:
1- Upload the keys that you have on your local host, through removing them from the .gitignore , not a recommended solution since you will be sharing your server private keys with all the developers and you will expose your server keys to everyone.

2- Create the keys somewhere and keep them safe and deploy them on your server so only the admins have access to those keys. Recommended solution

What I did is that created keys and kept them safe in a lock with other keys and env variables for production server.

It solved the issue

The problem is when I run php artisan passport:key on bash of my server, the keys was created. But when I exit the bash of my server the keys are deleted. I think its because the .gitignore file. If you remove the *.key from .gitignore, enter the bash, remove the keys and create other ones, its work but everytime you deploy your app you will need to do this.

I have some other way to do this?

Adding this to composer.json did the trick for me:
"scripts": { "post-install-cmd": [ "php artisan clear-compiled", "php artisan optimize", "chmod -R 777 storage", "php artisan passport:keys" ], }

@Raitch have you noticed any issues with this? My concern is regenerating the keys each deploy might log out users or causing encryption issues.

@Raitch Similar to @corbanb 's question above, have you found issues with this? I don't want to store my keys in source control.

@corbanb @DanTheDJ @mabumusa1 @marcospaegle

run via terminal cli heroku ps:exec -a your_app_name then run php artisan passport:keys

reference: https://stackoverflow.com/questions/39414956/laravel-passport-key-path-oauth-public-key-does-not-exist-or-is-not-readable/39417466#comment80500810_39424499

i tried and worked

@Raitch Man thanks for that, still works on latest Laravel and Passport, fixed my issue with file permissions.

I found a solution
first remove '/storage/*.key' line from .gitignore
then run 'php artisan passport:keys --force' to regenerate keys

I tried @erlangp method and it worked for me. Thanks @erlangp

@corbanb @DanTheDJ @mabumusa1 @marcospaegle

run via terminal cli heroku ps:exec -a your_app_name then run php artisan passport:keys

reference: https://stackoverflow.com/questions/39414956/laravel-passport-key-path-oauth-public-key-does-not-exist-or-is-not-readable/39417466#comment80500810_39424499

i tried and worked

This worked!! Thanks @erlangp

@corbanb @DanTheDJ @mabumusa1 @marcospaegle
run via terminal cli heroku ps:exec -a your_app_name then run php artisan passport:keys
reference: https://stackoverflow.com/questions/39414956/laravel-passport-key-path-oauth-public-key-does-not-exist-or-is-not-readable/39417466#comment80500810_39424499
i tried and worked

This worked!! Thanks @erlangp

@dwinjnr @erlangp I tried this solution and also worked for me, but after an hour or 2 (don't know exactly), the keys are deleted, so I need to run the lines again on terminal cli. Any ideas? Did you have problems with that too?

@gtox14, I experienced the same thing. I had to add the script below to composer.json

`
"post-create-project-cmd": [
"@php artisan key:generate --ansi"
],
"post-install-cmd": [
"Illuminate\Foundation\ComposerScripts::postInstall",
"echo \"$OAUTH_PUBLIC_KEY\" > storage/oauth-public.key",
"echo \"$OAUTH_PRIVATE_KEY\" > storage/oauth-private.key"
]

`
It generates the key after composer install. The downside is that users logged on will have to log out and login again because the keys have changed.

@gtox14, I experienced the same thing. I had to add the script below to composer.json

`
"post-create-project-cmd": [
"@php artisan key:generate --ansi"
],
"post-install-cmd": [
"Illuminate\Foundation\ComposerScripts::postInstall",
"echo "$OAUTH_PUBLIC_KEY" > storage/oauth-public.key",
"echo "$OAUTH_PRIVATE_KEY" > storage/oauth-private.key"
]

`
It generates the key after composer install. The downside is that users logged on will have to log out and login again because the keys have changed.

@dwinjnr I added those lines and that generated me a failed deploy on Heroku. Any idea?

For following issue:

This issue cause when you use existing running code which has passport enable functions
First comment all passport class form config/app.php
and all dependency form AuthServiceProvider

from boot function comment all passport functions.
then run again

1. composer dump-autoload
2. php artisan key:generate
3. php artisan passport:key

@corbanb @DanTheDJ @mabumusa1 @marcospaegle

run via terminal cli heroku ps:exec -a your_app_name then run php artisan passport:keys

reference: https://stackoverflow.com/questions/39414956/laravel-passport-key-path-oauth-public-key-does-not-exist-or-is-not-readable/39417466#comment80500810_39424499

i tried and worked

Adding this to composer.json did the trick for me:
"scripts": { "post-install-cmd": [ "php artisan clear-compiled", "php artisan optimize", "chmod -R 777 storage", "php artisan passport:keys" ], }

Works fine for me, I removed the "php artisan optimize" becouse i have an error with routes. Thanks

sois un pro! Terrific

@corbanb @DanTheDJ @mabumusa1 @marcospaegle

run via terminal cli heroku ps:exec -a your_app_name then run php artisan passport:keys

reference: https://stackoverflow.com/questions/39414956/laravel-passport-key-path-oauth-public-key-does-not-exist-or-is-not-readable/39417466#comment80500810_39424499

i tried and worked

Thanks bro it works for me too!

@corbanb @DanTheDJ @mabumusa1 @marcospaegle
run via terminal cli heroku ps:exec -a your_app_name then run php artisan passport:keys
reference: https://stackoverflow.com/questions/39414956/laravel-passport-key-path-oauth-public-key-does-not-exist-or-is-not-readable/39417466#comment80500810_39424499
i tried and worked

This worked!! Thanks @erlangp

@dwinjnr @erlangp I tried this solution and also worked for me, but after an hour or 2 (don't know exactly), the keys are deleted, so I need to run the lines again on terminal cli. Any ideas? Did you have problems with that too?

exactly the same problem. any solution?

I solved this issue by using some custom artisan commands, they are now part of my project but you can grab them.

The process overview:

1. Generate oauth keys locally
2. Encrypt oauth keys with artisan command
3. Commit encrypted oauth keys.
4. Decrypt and install keys on Heroku build

https://github.com/squareborg/vendormachine-api/blob/develop/app/Console/Commands/HerokuEncryptKeys.php

https://github.com/squareborg/vendormachine-api/blob/develop/app/Console/Commands/HerokuGenerateKey.php

https://github.com/squareborg/vendormachine-api/blob/develop/app/Console/Commands/HerokuInstallKey.php

Step 1

Generate OAuth keys ( if you don't already have some )

php artisan passport:keys

Step 2

Generate an encryption key and add the OENCRYPT_KEY env

php artisan heroku:generatekey

add to your local .env and also add it to Heroku's env settings

OENCRYPT_KEY={the output of php artisan heroku:generatekey}

Step 3

Encrypt your OAuth keys and commit to VCS

php artisan heroku:encryptkeys

Commit storage/app/oauth-private.key.encrypted and storage/app/oauth-pubblic.key.encrypted

Step 4

Add post-install-cmd to composer.json

"scripts": {
        ...
        "post-install-cmd": [ "php artisan heroku:installkeys" ]
    }

DONE!

After doing all this. I got the way that I think is better, and I think it sounds good practice because It is on Laravel official site, click here.

I have same issue.
After I follow this link. It didn't resolve also.

In fact I've got these error:

remote:        Package manifest generated successfully.
remote:        26 packages you are using are looking for funding.
remote:        Use the `composer fund` command to find out more!
remote:        > php artisan clear-compiled
remote:        Compiled services and packages files removed!
remote:        > chmod -R 777 storage
remote:        > php artisan passport:keys
remote:        
remote:                                                                      
remote:          There are no commands defined in the "passport" namespace.  
remote:                                                                      
remote:        
remote:        Script php artisan passport:keys handling the post-install-cmd event returned with error code 1
remote:  !     WARNING: A post-install-cmd script terminated with an error
remote: 
remote:  !     ERROR: Dependency installation failed!
remote:  !     
remote:  !     The 'composer install' process failed with an error. The cause
remote:  !     may be the download or installation of packages, or a pre- or
remote:  !     post-install hook (e.g. a 'post-install-cmd' item in 'scripts')
remote:  !     in your 'composer.json'.
remote:  !     
remote:  !     Typical error cases are out-of-date or missing parts of code,
remote:  !     timeouts when making external connections, or memory limits.
remote:  !     
remote:  !     Check the above error output closely to determine the cause of
remote:  !     the problem, ensure the code you're pushing is functioning
remote:  !     properly, and that all local changes are committed correctly.
remote:  !     
remote:  !     For more information on builds for PHP on Heroku, refer to
remote:  !     https://devcenter.heroku.com/articles/php-support
remote:  !     
remote:  !     REMINDER: the following warnings were emitted during the build;
remote:  !     check the details above, as they may be related to this error:
remote:  !     - A post-install-cmd script terminated with an error
remote: 
remote:  !     Push rejected, failed to compile PHP app.
remote: 
remote:  !     Push failed
remote: Verifying deploy...
remote: 
remote: !   Push rejected to laravel7-crud-app.
remote: 
To https://git.heroku.com/laravel7-crud-app.git
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'https://git.heroku.com/laravel7-crud-app.git'

@hendisantika
There are no commands defined in the "passport" namespace.
i think passport service not yet loaded by laravel

@corbanb @DanTheDJ @mabumusa1 @marcospaegle
run via terminal cli heroku ps:exec -a your_app_name then run php artisan passport:keys
reference: https://stackoverflow.com/questions/39414956/laravel-passport-key-path-oauth-public-key-does-not-exist-or-is-not-readable/39417466#comment80500810_39424499
i tried and worked

This worked!! Thanks @erlangp

@dwinjnr @erlangp I tried this solution and also worked for me, but after an hour or 2 (don't know exactly), the keys are deleted, so I need to run the lines again on terminal cli. Any ideas? Did you have problems with that too?

exactly the same problem. any solution?

i am sorry.. i think the problem come because of this heroku behavior: https://help.heroku.com/K1PPS2WM/why-are-my-file-uploads-missing-deleted

@felipemeddeiros Thanks... Docs says:

php artisan vendor:publish --tag=passport-config
(available on Laravel 5.8+ https://laravel.com/docs/5.8/passport#deploying-passport)

then we can set on heroku env:

PASSPORT_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
<private key here>
-----END RSA PRIVATE KEY-----"

PASSPORT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
<public key here>
-----END PUBLIC KEY-----"

I found a solution
first remove '/storage/*.key' line from .gitignore
then run 'php artisan passport:keys --force' to regenerate keys

Worked for me.. Thank you

I found a solution
first remove '/storage/*.key' line from .gitignore
then run 'php artisan passport:keys --force' to regenerate keys

Worked for me.. Thank you

This will put your security-sensitive keys into your version control unencrypted. You should only do this if you understand but still accept the risk.

@squareborg I agree, the key should not be stored in the version control

@felipemeddeiros Thanks... Docs says:

php artisan vendor:publish --tag=passport-config
(available on Laravel 5.8+)

then we can set on heroku env:

PASSPORT_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
<private key here>
-----END RSA PRIVATE KEY-----"

PASSPORT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
<public key here>
-----END PUBLIC KEY-----"

I think this is the best solution as it is the proposed solution via the docs. Super easy to set up too. Just add your keys to your heroku config, run the above command, and commit the new files created to master.

2. php artisan key:generate

Thank god, It saves my life!!!!

@felipemeddeiros Thanks... Docs says:

php artisan vendor:publish --tag=passport-config
(available on Laravel 5.8+)

then we can set on heroku env:

PASSPORT_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
<private key here>
-----END RSA PRIVATE KEY-----"

PASSPORT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
<public key here>
-----END PUBLIC KEY-----"

where can I obtain the private key here?
or whats is the value for PASSPORT_PRIVATE_KEY and PASSPORT_PUBLIC_KEY ?

@felipemeddeiros Thanks... Docs says:
php artisan vendor:publish --tag=passport-config
(available on Laravel 5.8+)
then we can set on heroku env:

PASSPORT_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
<private key here>
-----END RSA PRIVATE KEY-----"

PASSPORT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
<public key here>
-----END PUBLIC KEY-----"

where can I obtain the private key here?
or whats is the value for PASSPORT_PRIVATE_KEY and PASSPORT_PUBLIC_KEY ?

You need to run "passport:install" to get these keys. I think "key:generate" can do as well.

@irvv17 generate locally using php artisan passport:keys

then open folder storage,
find file oauth-private.key and oauth-public.key
(open it using any text editor)

in your project folder, open terminal/cmd run:

heroku config:set PASSPORT_PRIVATE_KEY=pasteprivatekeyhere
enter
heroku config:set PASSPORT_PUBLIC_KEY=pastepublickeyhere
enter

(more about heroku config/env https://devcenter.heroku.com/articles/config-vars)

@irvv17 generate locally using php artisan passport:keys

then open folder storage,
find file oauth-private.key and oauth-public.key
(open it using any text editor)

in your project folder, open terminal/cmd run:

heroku config:set PASSPORT_PRIVATE_KEY=pasteprivatekeyhere
enter
heroku config:set PASSPORT_PUBLIC_KEY=pastepublickeyhere
enter

(more about heroku config/env https://devcenter.heroku.com/articles/config-vars)

Thank you... sorry, noob with APIS in Laravel and deploy with heroku.

hello @erlangp @irvv17 @felipemeddeiros can you'll help me with this? :)

i already follow the steps on how to generate and put the oauth key into heroku config.
when i login and type the wrong credentials obviously it gives me the 404 message i setup
but when credential is correct it gives me the ff error.

btw. the way i put the aouth key into heroku config is manually.

other heroku config key values..

Hope you'll help me bru. thanks!

@reachmesidyan I think the problem is here.
you should add environment variables in the format shown below. as mentioned in Laravel doc:

PASSPORT_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----
<private key here>
-----END RSA PRIVATE KEY-----

PASSPORT_PUBLIC_KEY=-----BEGIN PUBLIC KEY-----
<public key here>
-----END PUBLIC KEY-----

I'm having this same problem. I am a Heroku expert and I have no idea whats wrong. My gut feeling is its in the code for the rescue app I've inherited.

config/passport.php

<?php

return [

    /*
    |--------------------------------------------------------------------------
    | Encryption Keys
    |--------------------------------------------------------------------------
    |
    | Passport uses encryption keys while generating secure access tokens for
    | your application. By default, the keys are stored as local files but
    | can be set via environment variables when that is more convenient.
    |
    */

    'private_key' => env('PASSPORT_PRIVATE_KEY'),

    'public_key' => env('PASSPORT_PUBLIC_KEY'),

    /*
    |--------------------------------------------------------------------------
    | Client UUIDs
    |--------------------------------------------------------------------------
    |
    | By default, Passport uses auto-incrementing primary keys when assigning
    | IDs to clients. However, if Passport is installed using the provided
    | --uuids switch, this will be set to "true" and UUIDs will be used.
    |
    */

    'client_uuids' => false,

    /*
    |--------------------------------------------------------------------------
    | Personal Access Client
    |--------------------------------------------------------------------------
    |
    | If you enable client hashing, you should set the personal access client
    | ID and unhashed secret within your environment file. The values will
    | get used while issuing fresh personal access tokens to your users.
    |
    */

    'personal_access_client' => [
        'id' => env('PASSPORT_PERSONAL_ACCESS_CLIENT_ID'),
        'secret' => env('PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET'),
    ],

    /*
    |--------------------------------------------------------------------------
    | Passport Storage Driver
    |--------------------------------------------------------------------------
    |
    | This configuration value allows you to customize the storage options
    | for Passport, such as the database connection that should be used
    | by Passport's internal database models which store tokens, etc.
    |
    */

    'storage' => [
        'database' => [
            'connection' => env('DB_CONNECTION', 'pgsql'),
        ],
    ],

];

Environment variables load in a heroku run php artisan tinker shell

>>> env('PASSPORT_PRIVATE_KEY')
=> """
   -----BEGIN RSA PRIVATE KEY-----\n
  <big private key>
   -----END RSA PRIVATE KEY-----
   """

>>> env('PASSPORT_PUBLIC_KEY')
=> """
   -----BEGIN PUBLIC KEY-----\n
   <PUBLIC KEY>
   -----END PUBLIC KEY-----
   """

Yet, I see this in the log whenever I try to open up /graphql-playground on my server.

#34 {main} {"exception":"[object] (LogicException(code: 0): Key path \"file:///app/storage/oauth-public.key\" does not exist or is not readable at /app/vendor/league/oauth2-server/src/CryptKey.php:52)
2020-09-15T20:18:55.603066+00:00 app[web.1]: [stacktrace]

Why is it still trying to load off of the file system? I've defined the public/private keys exactly how the docs said to.

@danielricecodes what the output after run...

config('passport.private_key');
and
config('passport.public_key');

...inside tinker ?

More info: source code about how Passport get the keys from config:
https://github.com/laravel/passport/blob/4e53f1b237a9e51ac10f0b30c6ebedd68f6848ab/src/PassportServiceProvider.php#L255

This works for me, I commented the Passport::loadKeysFrom('/secret-keys/oauth');