Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOpsSchool!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Uncategorised

artisan Tutorials: php artisan passport

July 3, 2025 Leave a Comment

When you run php artisan passport:install, Laravel attempts to do the following:

  1. Generate encryption keys (oauth-public.key and oauth-private.key).
  2. Publish Passport’s migrations if not already present.
  3. Run those migrations (if you choose “yes”).
  4. Create the default OAuth clients (Personal and Password).

Running php artisan passport:install is a crucial setup step when using Laravel Passport for API authentication. Here’s a full explanation of why it’s needed and what it does:

✅ Why Run php artisan passport:install?

🔧 1. Generates Encryption Keys

  • Laravel Passport uses encryption to securely issue and validate access tokens.
  • passport:install generates:
    • A private key: used to sign access tokens.
    • A public key: used to verify the tokens on future requests.

📁 These keys are stored in:

storage/oauth-private.key
storage/oauth-public.key
Code language: PHP (php)

🔐 These keys are essential for the security of your API tokens.

🎫 2. Creates OAuth Clients

It automatically creates two default OAuth2 clients in the oauth_clients table:

a. Personal Access Client

  • Used when issuing tokens via $user->createToken('token-name').
  • Good for first-party apps or backend-only workflows.

b. Password Grant Client

  • Used for username/password login via the /oauth/token route.
  • Commonly used in mobile apps and SPAs (single-page apps).

These clients have a unique Client ID and Client Secret, which are used to obtain tokens programmatically.

🔍 What Happens Behind the Scenes?

When you run:

php artisan passport:install
Code language: CSS (css)

Laravel does the following:

  1. Generates oauth-public.key and oauth-private.key.
  2. Creates one Personal Access Client.
  3. Creates one Password Grant Client.
  4. Stores all client data in the oauth_clients table.
  5. Outputs the client IDs and secrets in the console.

📌 When Should You Run It?

  • ✅ When setting up Laravel Passport for the first time.
  • 🔁 When you accidentally delete the keys or clients.
  • 🛠️ When migrating environments (you might need to re-run with --force).

⚠️ Tip:

If you already have keys and clients, and re-running the command causes issues, use the --force flag only if you’re resetting the environment:

php artisan passport:install --force
Code language: CSS (css)

⚠️ Be careful: this will overwrite existing keys and may invalidate current tokens.

✅ Summary

ActionPurpose
Generate OAuth keysSign and verify secure access tokens
Create Personal Access ClientIssue tokens using createToken() method
Create Password Grant ClientEnable login via /oauth/token
Store keys and clientsIn storage/ and oauth_clients table

Here’s a clear explanation of the difference between a Personal Access Client and a Password Grant Client in Laravel Passport:

🔑 1. Personal Access Client

✅ Purpose:

Used when users authenticate via a token directly, usually through first-party apps (like your own web or mobile app). Ideal for issuing long-lived personal tokens.

📌 How it works:

  • The user logs in through a traditional session (browser or API).
  • The server generates a personal access token for the user using the createToken() method: $token = $user->createToken('Token Name')->accessToken;
  • No client credentials (ID/secret) are required on the frontend.

🔐 Use Case:

  • Admin panels
  • First-party web or mobile apps
  • API testing via Postman

🔄 Token Flow:

User logs in → backend creates personal token → returns to frontend.

🔐 2. Password Grant Client

✅ Purpose:

Used when you want the user to provide email/password via API and obtain an access token programmatically. Often used by mobile apps or single-page apps (SPA).

📌 How it works:

  • The client app sends a request to the /oauth/token endpoint: POST /oauth/token Content-Type: application/json { "grant_type": "password", "client_id": "8", "client_secret": "your-password-client-secret", "username": "user@example.com", "password": "secret", "scope": "*" }
  • If valid, Passport issues an access token.

🔐 Use Case:

  • Mobile apps logging in users
  • SPAs with direct login forms

🔄 Token Flow:

Frontend (mobile/web) sends user credentials + client credentials → gets token from /oauth/token.

✅ Summary Table

FeaturePersonal Access ClientPassword Grant Client
AuthenticationServer-side onlyUser credentials via API
Use CaseFirst-party web/mobileMobile apps / SPAs
Client ID/Secret Needed?❌ No✅ Yes
Example Method$user->createToken()/oauth/token endpoint with credentials
User InteractionAlready logged in via sessionLogin via email/password in the app
Security ConsiderationTokens created securely server-sidePassword passed through API (use HTTPS)

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x