Implementing - Centralized Auth - JWT and OPENID

RajeshKumar1

Of course. This is a practical and powerful setup. Here is a detailed, step-by-step guide to implement a simplified version of this architecture on your local machine using Laravel and XAMPP.

We will create two separate Laravel applications:

AuthServer: This will be our centralized authentication server (auth.myhospitalnow.local). It will run Laravel Passport.
PatientPortal: This will be our client application (www.myhospitalnow.local) that allows users to log in via the AuthServer.

Prerequisites:

XAMPP installed (which includes Apache and MySQL/MariaDB).
Composer installed globally.
A code editor (like Visual Studio Code).

Step 1: Configure Your Local Environment (XAMPP & Hosts)

This is the most critical step. We need to make your computer recognize auth.myhospitalnow.local and www.myhospitalnow.local as distinct websites.

1. Edit Your hosts File:
This file maps domain names to IP addresses.

Windows: C:\Windows\System32\drivers\etc\hosts (Open Notepad as Administrator to edit).
macOS/Linux: /etc/hosts (Use sudo nano /etc/hosts in the terminal).

Add the following lines to the end of the file:

127.0.0.1   auth.myhospitalnow.local
127.0.0.1   www.myhospitalnow.local

2. Configure Apache Virtual Hosts:

Open your XAMPP control panel and stop Apache.
Navigate to your XAMPP installation folder, then apache\conf\extra\.
Open the file httpd-vhosts.conf in your code editor.
Add the following configuration to the end of the file. Make sure to replace C:/xampp/htdocs/ with the actual path to your XAMPP htdocs folder.

# Virtual Host for the Authentication Server
<VirtualHost *:80>
    DocumentRoot "C:/xampp/htdocs/AuthServer/public"
    ServerName auth.myhospitalnow.local
    <Directory "C:/xampp/htdocs/AuthServer/public">
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

# Virtual Host for the Patient Portal Client
<VirtualHost *:80>
    DocumentRoot "C:/xampp/htdocs/PatientPortal/public"
    ServerName www.myhospitalnow.local
    <Directory "C:/xampp/htdocs/PatientPortal/public">
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Now, open apache\conf\httpd.conf and find the line #Include conf/extra/httpd-vhosts.conf. Remove the # at the beginning to enable it.
Start Apache from the XAMPP control panel.

Step 2: Build the Authentication Server (`AuthServer`)

1. Create the Laravel Project:
Open your terminal/command prompt, navigate to your htdocs folder, and run:

cd C:\xampp\htdocs
composer create-project laravel/laravel AuthServer

2. Configure the Database:

Open phpMyAdmin (http://localhost/phpmyadmin).
Create a new database named auth_server_db.
Open the .env file in the AuthServer project and update the database connection details:

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=auth_server_db
DB_USERNAME=root
DB_PASSWORD=

3. Install and Configure Laravel Passport (Our OAuth2 Server):

In your terminal, cd into the AuthServer project.

cd C:\xampp\htdocs\AuthServer

# Install Passport
composer require laravel/passport

# Run migrations to create user tables etc.
php artisan migrate

# Run Passport's installation command
php artisan passport:install

The passport:install command creates encryption keys and two special "clients" for issuing tokens.

4. Finalize Passport Setup:

app/Models/User.php: Add the HasApiTokens trait.

<?php
namespace App\Models;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;
use Laravel\Passport\HasApiTokens; // <-- Import this

class User extends Authenticatable
{
    use HasApiTokens, HasFactory, Notifiable; // <-- Add HasApiTokens here
    // ... rest of the file
}

app/Providers/AuthServiceProvider.php: Register Passport's routes in the boot() method.

<?php
namespace App\Providers;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Laravel\Passport\Passport; // <-- Import this

class AuthServiceProvider extends ServiceProvider
{
    // ...
    public function boot(): void
    {
        $this->registerPolicies();
        Passport::routes(); // <-- Add this line
    }
}

config/auth.php: Change the api guard driver to passport.

'guards' => [
    // ...
    'api' => [
        'driver' => 'passport', // <-- Change 'token' to 'passport'
        'provider's' => 'users',
    ],
],

Our Auth Server is now ready!

Step 3: Build the Client Application (`PatientPortal`)

1. Create the Laravel Project:
In your terminal, from the htdocs folder, run:

cd C:\xampp\htdocs
composer create-project laravel/laravel PatientPortal

2. Configure Its Database (Optional but good practice):
Create another database in phpMyAdmin called patient_portal_db and update the .env file in the PatientPortal project.

3. Install Guzzle:
This HTTP client will be used to talk to the Auth Server from our backend.

cd C:\xampp\htdocs\PatientPortal
composer require guzzlehttp/guzzle

Step 4: Connect the Two Applications

1. Create an OAuth Client on the AuthServer:

In your terminal, cd into the AuthServer project.
Run the following command to create a client for our PatientPortal:

php artisan passport:client --authorization_code

The command will ask you for:
- User ID: You can leave this blank for now. Press Enter.
  - Client name: Enter Patient Portal
  - Redirect URI: Enter http://www.myhospitalnow.local/auth/callback
It will output a Client ID and Client Secret. Copy these immediately!

2. Store Credentials in the PatientPortal:

Open the .env file in the PatientPortal project.
Add the following lines, pasting the values you just copied.

# ... other variables

# Auth Server Details
AUTH_SERVER_URL=http://auth.myhospitalnow.local
AUTH_SERVER_CLIENT_ID=your_client_id_here
AUTH_SERVER_CLIENT_SECRET=your_client_secret_here
AUTH_SERVER_REDIRECT_URI=http://www.myhospitalnow.local/auth/callback

Step 5: Implement the Login Flow in `PatientPortal`

1. Create Routes (routes/web.php in PatientPortal):

<?php
use Illuminate\Support\Facades\Route;
use App\Http\Controllers\AuthController;

// Welcome page
Route::get('/', function () {
    return view('welcome');
})->name('home');

// Routes for our OAuth flow
Route::get('/login', [AuthController::class, 'login'])->name('login');
Route::get('/auth/callback', [AuthController::class, 'callback']);
Route::get('/logout', [AuthController::class, 'logout'])->name('logout');

// A protected route to test our API call
Route::get('/my-profile', [AuthController::class, 'getProfile'])->name('profile');

2. Create the Controller (AuthController):
Run php artisan make:controller AuthController in the PatientPortal terminal.
Open app/Http/Controllers/AuthController.php and paste this code:

<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Http;
use Illuminate\Support\Str;

class AuthController extends Controller
{
    public function login(Request $request)
    {
        $request->session()->put('state', $state = Str::random(40));

        $query = http_build_query([
            'client_id' => env('AUTH_SERVER_CLIENT_ID'),
            'redirect_uri' => env('AUTH_SERVER_REDIRECT_URI'),
            'response_type' => 'code',
            'scope' => '', // You can define scopes here like 'read-profile'
            'state' => $state,
        ]);

        return redirect(env('AUTH_SERVER_URL') . '/oauth/authorize?' . $query);
    }

    public function callback(Request $request)
    {
        $state = $request->session()->pull('state');

        throw_unless(strlen($state) > 0 && $state === $request->state, \InvalidArgumentException::class);

        $response = Http::asForm()->post(env('AUTH_SERVER_URL') . '/oauth/token', [
            'grant_type' => 'authorization_code',
            'client_id' => env('AUTH_SERVER_CLIENT_ID'),
            'client_secret' => env('AUTH_SERVER_CLIENT_SECRET'),
            'redirect_uri' => env('AUTH_SERVER_REDIRECT_URI'),
            'code' => $request->code,
        ]);

        // Store tokens and user info in the session
        $request->session()->put($response->json());

        return redirect()->route('home');
    }

    public function getProfile(Request $request)
    {
        $accessToken = $request->session()->get('access_token');

        // Call the Auth Server's API
        $response = Http::withHeaders([
            'Accept' => 'application/json',
            'Authorization' => 'Bearer ' . $accessToken,
        ])->get(env('AUTH_SERVER_URL') . '/api/user');
        
        // For demonstration, we just dump the response
        return $response->json();
    }
    
    public function logout(Request $request) {
        $request->session()->flush();
        return redirect()->route('home');
    }
}

3. Update the View (resources/views/welcome.blade.php):
Replace the content of this file with:

<!DOCTYPE html>
<html>
<head>
    <title>Patient Portal</title>
</head>
<body>
    <h1>Welcome to the Patient Portal</h1>
    @if(session()->has('access_token'))
        <p>You are logged in!</p>
        <p><a href="{{ route('profile') }}">View My Profile (from Auth Server)</a></p>
        <p><a href="{{ route('logout') }}">Logout</a></p>
    @else
        <p><a href="{{ route('login') }}">Login with HospitalNow Auth</a></p>
    @endif
</body>
</html>

Step 6: Create a User and Test Everything

1. Create a Test User on the AuthServer:

In your terminal, cd into the AuthServer project.
Run php artisan tinker.
Inside tinker, create a user:

\App\Models\User::create([
    'name' => 'John Patient',
    'email' => 'john@patient.com',
    'password' => bcrypt('password')
]);

Type exit to leave tinker.

2. The Final Test:

Open your browser and go to http://www.myhospitalnow.local. You should see the "Login" link.
Click the "Login" link.
You will be redirected to http://auth.myhospitalnow.local. You'll see a Laravel login form.
Log in with the credentials: john@patient.com and password.
You will be presented with an "Authorization" screen asking if you want to allow "Patient Portal" to access your account. Click Authorize.
You will be redirected back to http://www.myhospitalnow.local. It should now say "You are logged in!".
Click the "View My Profile" link. You should see the JSON data for John Patient, which was securely fetched from the AuthServer's API using your access token!

You have successfully implemented a centralized authentication system on your local machine! You can now expand on this by creating Doctor and Hospital portals, adding more roles/permissions, and building out the resource microservices.

RajeshKumar1

Step-by-Step Guide to Implement OAuth2 and JWT Authentication & Authorization with Laravel and XAMPP

Step 1: Setting Up XAMPP

Install XAMPP: Download and install from https://www.apachefriends.org/.
Start Apache and MySQL services from the XAMPP control panel.

Step 2: Laravel Project Setup

Install Composer: Download from https://getcomposer.org/.
Create Laravel Project:

composer create-project laravel/laravel myhospitalnow
cd myhospitalnow

Configure Database: Open .env file and set your MySQL credentials:

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=myhospitalnow
DB_USERNAME=root
DB_PASSWORD=

Run Migrations:

php artisan migrate

Step 3: Install Laravel Passport (OAuth2)

Install Laravel Passport:

composer require laravel/passport

Run Passport Migrations and Generate Keys:

php artisan migrate
php artisan passport:install

Add Passport to AuthServiceProvider (app/Providers/AuthServiceProvider.php):

use Laravel\Passport\Passport;

public function boot()
{
    $this->registerPolicies();
    Passport::routes();
}

Update Auth Config (config/auth.php):

'guards' => [
    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
    ],
],

Step 4: Create Authentication Controllers

Generate Controllers:

php artisan make:controller AuthController

Define login, logout, and token issuance methods within AuthController.php.

Step 5: JWT Token Role Claims

Customize Token Generation:
Extend Laravel Passport’s User model to include roles in tokens.

public function findForPassport($username)
{
    return $this->where('email', $username)->first();
}

public function getJWTCustomClaims()
{
    return ['role' => $this->role];
}

Step 6: Middleware for RBAC

Create Middleware:

php artisan make:middleware RoleMiddleware

Implement Role Validation (RoleMiddleware.php):

public function handle($request, Closure $next, $role)
{
    if ($request->user()->tokenCan($role)) {
        return $next($request);
    }
    return response()->json(['error' => 'Unauthorized'], 403);
}

Register Middleware in app/Http/Kernel.php:

protected $routeMiddleware = [
    'role' => \App\Http\Middleware\RoleMiddleware::class,
];

Step 7: API Gateway and Routing

Create Routes in routes/api.php:

Route::middleware('auth:api', 'role:patient')->group(function () {
    Route::get('/patient/profile', 'PatientController@profile');
});

Route::middleware('auth:api', 'role:doctor')->group(function () {
    Route::get('/doctor/profile', 'DoctorController@profile');
});

Step 8: Testing with Postman

Test Authentication and Token Issuance by calling the login endpoint.
Use issued JWT tokens to test protected endpoints for different roles.

Step 9: Frontend Integration (Flutter)

Use HTTP Client in Flutter to call authentication endpoints.
Store JWT tokens securely using flutter_secure_storage.
Include JWT in HTTP headers for authenticated API calls.

Best Practices

Secure endpoints via HTTPS.
Implement rate limiting (Laravel Throttle).
Centralize error handling and audit logging for secure monitoring.

RajeshKumar1

Here’s a step-by-step guide to implement a centralized authentication and RBAC system for your Laravel microservices using JWT (with the option to use OAuth2 via Laravel Passport, if you require OAuth2 features), running locally with XAMPP and MySQL.

1. Set Up Your Laravel Project with XAMPP

Ensure XAMPP is running (Apache and MySQL).
Create your database (e.g., myhospitalnow) via phpMyAdmin or MySQL CLI.

composer create-project laravel/laravel myhospitalnow
cd myhospitalnow

Configure your .env file for database connection:

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=myhospitalnow
DB_USERNAME=root
DB_PASSWORD=

2. Install JWT Authentication Package

The most popular JWT package for Laravel is [tymon/jwt-auth] or [php-open-source-saver/jwt-auth][1][2][3].

composer require php-open-source-saver/jwt-auth

Publish the config file:

php artisan vendor:publish --provider="PHPOpenSourceSaver\JWTAuth\Providers\LaravelServiceProvider"

Generate JWT secret:

php artisan jwt:secret

This adds JWT_SECRET=... to your .env file.

3. Configure Laravel Authentication to Use JWT

Edit config/auth.php:

'defaults' => [
    'guard' => 'api',
    'passwords' => 'users',
],

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
    'api' => [
        'driver' => 'jwt',
        'provider' => 'users',
    ],
],

4. Create User Models and Migrations

If not already present, create models and migrations for your user types (Patient, Doctor, Hospital, Nurse):

php artisan make:model Patient -m
php artisan make:model Doctor -m
php artisan make:model Hospital -m
php artisan make:model Nurse -m

Define the necessary fields in each migration (e.g., name, email, password, role, etc.), then run:

php artisan migrate

5. Build Authentication Controllers

Create an AuthController for login, register, logout, refresh, etc.

php artisan make:controller AuthController

Example login method:

public function login(Request $request)
{
    $credentials = $request->only('email', 'password');
    if (!$token = auth()->attempt($credentials)) {
        return response()->json(['error' => 'Unauthorized'], 401);
    }
    return $this->respondWithToken($token);
}

protected function respondWithToken($token)
{
    return response()->json([
        'access_token' => $token,
        'token_type' => 'bearer',
        'expires_in' => auth()->factory()->getTTL() * 60,
        'user' => auth()->user()
    ]);
}

6. Set Up Role-Based Access Control (RBAC)

Create a roles table and a pivot table (e.g., role_user) if users can have multiple roles.
Use a package like Spatie Laravel Permission or build your own logic.

composer require spatie/laravel-permission
php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider"
php artisan migrate

In your User model:

use Spatie\Permission\Traits\HasRoles;

class User extends Authenticatable
{
    use HasRoles;
}

Assign roles during registration or via admin panel.
Protect routes using middleware:

Route::group(['middleware' => ['role:doctor']], function () {
    // doctor-only routes
});

7. Protect Your API Routes

In routes/api.php, use the auth:api middleware:

Route::middleware(['auth:api'])->group(function () {
    Route::get('/user', function () {
        return auth()->user();
    });
    // More protected routes...
});

8. Implement Centralized Login Flow

All login/register requests (/, /doctors/, /hospitals/) should POST to a single endpoint (e.g., /api/login).
After authentication, redirect or respond with the JWT token.
The frontend for each portal stores the JWT (preferably in an HTTP-only cookie or local storage) and attaches it to all API requests.

9. API Gateway (Optional for Local Dev)

For local development, you can use Laravel as a single entry point.
For production, use an API Gateway (e.g., Kong, NGINX) to route requests and validate tokens before passing to microservices.

10. Security Best Practices

Always use HTTPS (set up SSL in XAMPP for local dev).
Store JWTs in HTTP-only, Secure cookies if possible.
Set short token expiration and implement refresh tokens.
Log all authentication and authorization events.
Regularly update dependencies for security patches.
[3]

11. Testing

Use Postman or your frontend to test login, registration, and protected endpoints.
Check that users with the right roles can access appropriate resources.

12. (Optional) OAuth2 with Laravel Passport

If you require OAuth2 features (third-party login, token revocation, etc.), use Laravel Passport:

php artisan install:api --passport
php artisan migrate

Update config/auth.php to use 'driver' => 'passport' for the api guard.
Follow [Laravel Passport documentation][4] for client setup and flows.

References Used

[Building a Secure Laravel API with JWT Authentication][2]
[Securing Your Laravel Backend REST API][3]
[Laravel JWT authentication tutorial][5]
[Laravel Passport documentation][4]
[Implementing RBAC in Laravel][6]

With this setup, you’ll have a robust, centralized JWT-based authentication and RBAC system for your Laravel microservices running on XAMPP. If you need code samples for a specific controller or middleware, let me know!

[1] https://blog.logrocket.com/implementing-jwt-authentication-laravel-11/
[2] https://alexhost.com/faq/building-a-secure-laravel-api-with-jwt-authentication/
[3] https://dev.to/asfiaaiman/securing-your-laravel-backend-rest-api-a-comprehensive-guide-ll2
[4] https://laravel.com/docs/11.x/passport
[5] https://www.youtube.com/watch?v=PjXbF1UHvdg
[6] https://www.permit.io/blog/how-to-implement-role-based-access-control-rbac-in-laravel
[7] https://gist.github.com/yaza-putu/b1892eb8373a13d6ae1e1e016907ef0e
[8] https://dev.to/leanm/laravel-rest-api-with-jwt-authentication-for-login-and-role-based-permissions-2p56
[9] https://developer.auth0.com/resources/code-samples/api/laravel/basic-role-based-access-control
[10] https://github.com/AsifOnTheCode/Laravel-API-CRUD-with-JWT-Authentication
[11] https://www.linkedin.com/pulse/laravel-11-jwt-authentication-step-by-step-guide-keys-housni-benabid-g5m9e
[12] https://stackoverflow.com/questions/79507020/attribute-a-role-to-a-user-for-rbac-authorization-when-using-oauth
[13] https://developer.auth0.com/resources/guides/api/laravel/basic-authorization
[14] https://www.udemy.com/course/phprestapi/
[15] https://laracasts.com/discuss/channels/laravel/best-way-to-implement-jwt-authentication-in-laravel
[16] https://docs.logto.io/api-protection/php/laravel
[17] https://packalyst.com/s/auth
[18] https://packagist.org/search/?tags=authentication
[19] https://bshaffer.github.io/oauth2-server-php-docs/cookbook/laravel/
[20] https://github.com/diimolabs/laravel-oauth2-client
[21] https://github.com/JaberWiki/laravel-AAuth
[22] https://packagist.org/packages/emiljimenez21/laravel-jwt-auth
[23] https://stackoverflow.com/questions/55662469/php-rest-how-do-i-implement-a-role-based-access-of-my-api
[24] https://dev.to/wnikk/how-use-access-control-rules-and-grud-in-laravel-10-tutorial-step-by-step-307a