Hi,
I'm looking ta logout the user from the api, i'm using the password grant oauth bearer token
i'm unable to call the oauth/token/{token_id} route through the delete verb. I've got an Exception with no message.
After investigating, It seems to come from the vendor\laravel\passport\src\RouteRegistrar::forAccessTokens() the route is protected by the web middleware. Thus laravel protect the route with session, cookie etc. But a this point we are stateless with token only
The route should have the auth middleware only instead of the web
I must misunderstand something here, Any help ? Thank you
meyer59
All 4 comments
The route should have the auth middleware only instead of the web
+1
My thoughts on this:
There should be API for managing tokens besides web UI.
If I issue "Client Credentials Grant Token" and don't use web UI there's no way to manage such tokens right now.
Also it's not obvious how to get {token_id} to revoke a token using route oauth/token/{token_id}.
The one should use parser like $data = (new \Lcobucci\JWT\Parser())->parse($token);
As a solution:
Route oauth/token/{token_id} and others should be reachable not only through 'web' & 'auth' middlewares but with 'auth:api', 'client' too.
token_id might be optional.
And IF request DELETE oauth/token/{?token_id} is made without token_id THEN token from 'Authorization' header should be parsed and revoked.
And of course there should be a note about this in the Docs.
c00p3r
on 13 Jul 2018
@bayareawebpro good for you!
But I wasn't asking for code , I'm talking about feature request.
Because I made the same solution you did even before posting in this thread.
And I know it's simple. And have no idea why it's not in Passport yet :(
c00p3r
on 16 Aug 2018
Heya, please see my answer here: https://github.com/laravel/passport/issues/839#issuecomment-429371578
driesvints
on 16 Oct 2018
Should be able to delete the token as long as the request has client id, client secret, username and password
zamlahani
on 20 May 2019
Related issues
ghost
路
3Comments
gbgelado
路
3Comments
seriousjelly
路
3Comments
mind-control
路
3Comments
brryfrmnn
路
3Comments
Most helpful comment
+1
My thoughts on this:
There should be API for managing tokens besides web UI.
If I issue "Client Credentials Grant Token" and don't use web UI there's no way to manage such tokens right now.
Also it's not obvious how to get
{token_id}to revoke a token using routeoauth/token/{token_id}.The one should use parser like
$data = (new \Lcobucci\JWT\Parser())->parse($token);As a solution:
Route
oauth/token/{token_id}and others should be reachable not only through 'web' & 'auth' middlewares but with 'auth:api', 'client' too.token_idmight be optional.And IF request
DELETE oauth/token/{?token_id}is made withouttoken_idTHEN token from 'Authorization' header should be parsed and revoked.And of course there should be a note about this in the Docs.