Passport: Why does an auth code client require a user id?

Created on 10 Jan 2018 · 7Comments · Source: laravel/passport

I might be completely misunderstanding but I don't see why an auth code client requires a user id? (when created through ./artisan oauth:client

I understand the auth code and then access tokens should be tied to a user, but it doesn't make sense to tie client to the user.

(Related: Why isn't a personal access client tied to a user?)

Source

rjmackay

👍1

Most helpful comment

I use custom code to enter entries to oauth_clients and leave user_id null. I realize this is not an answer to your question, but just in case you were getting stuck somewhere I thought I would mention it.

hfmikep on 12 Jan 2018

👍2

All 7 comments

hfmikep on 12 Jan 2018

👍2

@rjmackay I think it's only to trace who made that key and also allow only that person to edit its name and its callback url

NastuzziSamy on 21 Mar 2018

👍1

@hfmikep I'm doing similar. However this seems like something I shouldn't have to workaround.

rjmackay on 22 Mar 2018

👍1

Because by default, oauth clients are associated with users who created them so they can use them for their 3rd party apps. If you just want an oauth client for one of your 1st party apps (like your mobile app) you can use, for example, password grant clients: https://laravel.com/docs/5.7/passport#password-grant-tokens

driesvints on 16 Oct 2018

Hi team, I'd just like to say that now that password and implicit grants are considered legacy, and recommend using auth code grant with PKCE instead, I had the same confusion as this issue highlights.

Recommending password grant instead is likely not to be a solution for much longer, if at all now.