Laravel Passport - 使用邮递员进行身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/47460996/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Laravel Passport - Authenticate using postman
提问by fightstarr20
I have setup Passport in Laravel 5 and am creating a token when a user registers by using this..
我在 Laravel 5 中设置了 Passport 并且在用户使用它注册时创建了一个令牌..
$user->createToken('My Token')->accessToken;
When I create a new user then I can see an entry in the oauth_access_tokens table that looks like this, I have shortened the id for display...
当我创建一个新用户时,我可以在 oauth_access_tokens 表中看到一个看起来像这样的条目,我缩短了显示的 id...
id | user_id | client_id | name | scopes | revoked
-----------------------------------------------------------
765765 | 193 | 1 | My Token | [] | 0
The API route I want to allow access to is protected, now I am trying to allow access by passing the following headers in Postman...
我想允许访问的 API 路由受到保护,现在我试图通过在 Postman 中传递以下标头来允许访问...
Authorization | Bearer 765765
Accept | application/json
But this is returning a response of unauthenticated, where am I going wrong?
但这是返回未经身份验证的响应,我哪里出错了?
回答by Jonathon
Laravel Passport uses oAuth2. It's not as simple as generating a user token and being able to use it to authenticate. oAuth2 requires another step, which is called a token exchange.
Laravel Passport 使用 oAuth2。它不像生成用户令牌并能够使用它进行身份验证那么简单。oAuth2 需要另一个步骤,称为令牌交换。
You will have seen the oAuth2 process in action when you log into a website with Facebook. You click the login with Facebook button and you are sent to Facebook and you are presented with a dialog where you're asked to confirm or deny an app access to your account (Usually, specific parts of your account, a.k.a scopes).
当您使用 Facebook 登录网站时,您将看到 oAuth2 流程的运行情况。您单击使用 Facebook 登录按钮,您将被发送到 Facebook,您会看到一个对话框,要求您确认或拒绝应用程序访问您的帐户(通常是您帐户的特定部分,又名scopes)。
That website will have it's own client account with Facebook and will have its own client IDand client secret. When you click that button, the website sends you to Facebook in order to gain your permission and an authorization code from Facebook. The website passes its client ID, requested permissions (scopes), a randomly generated session state (So it can verify later) and a URL to redirect to Facebook where you are shown the dialog.
该网站将拥有自己的 Facebook 客户帐户,并将拥有自己的client ID和client secret. 当您单击该按钮时,该网站会将您发送到 Facebook,以便从 Facebook 获得您的许可和授权代码。该网站传递其client ID请求的权限 ( scopes)、随机生成的会话状态(以便稍后验证)和重定向到 Facebook 的 URL,您将在其中看到对话框。
When you accept, Facebook generates what is called an authorization codeand sends you back on your way to the website (The redirect URL specified) along with the sessions state (So the website is able to verify the request) and the authorization code.
当您接受时,Facebook 会生成所谓的 anauthorization code并将您发送回网站(指定的重定向 URL)以及会话状态(因此网站能够验证请求)和授权代码。
The website, on its back end will then ask Facebook to exchange your authorization code for an access tokenand will provide its client IDand client secretso Facebook is able to verify its authenticity. Facebook then responds with an access tokenand an expiry time.
然后,该网站在其后端会要求 Facebook 将您的授权代码交换为一个access token并提供它client ID,client secret因此 Facebook 能够验证其真实性。Facebook 然后回复一个access token和一个到期时间。
Now, the website is able to access your account using the access token to be able to grab the requested information (Such as your email address for login).
现在,该网站可以使用访问令牌访问您的帐户,以获取请求的信息(例如您用于登录的电子邮件地址)。
It's also possible to do skip a lot of this process and not require the user to have to follow the whole redirection flow. To do this, (In Passport at least), you will need a password grant client. This is usually what you would do if you are using oAuth2 to authenticate an API.
也可以跳过很多这个过程,而不需要用户必须遵循整个重定向流程。为此,(至少在 Passport 中),您需要一个密码授予客户端。如果您使用 oAuth2 对 API 进行身份验证,这通常是您要做的。
The process here would be to generate a password grant client:
这里的过程是生成密码授予客户端:
php artisan passport:client --password
In your database, the you will find in the oauth_clientstable, a password grant client with a client ID and secret. You would need to give this to whoever is consuming your API (Such as a mobile/cellphone app).
在您的数据库中,您将在oauth_clients表中找到一个带有客户端 ID 和密码的密码授予客户端。您需要将其提供给使用您的 API 的任何人(例如移动/手机应用程序)。
Now when your user wants to log in, the consumer of your API (In this case Postman) would need to provide the user's credentials (username/password) as well as the client ID and secret for your password grant client. It's also necessary to tell Passport that you want to authorize via password grant.
现在,当您的用户想要登录时,您的 API 的使用者(在本例中为 Postman)需要提供用户的凭据(用户名/密码)以及您的密码授予客户端的客户端 ID 和密码。还需要告诉 Passport 您想通过密码授权进行授权。
The example given in the docs looks like this:
文档中给出的示例如下所示:
$response = $http->post('http://your-app.com/oauth/token', [
'form_params' => [
'grant_type' => 'password',
'client_id' => 'client-id',
'client_secret' => 'client-secret',
'username' => '[email protected]',
'password' => 'my-password',
'scope' => '',
],
]);
When successful, Passport will return a 200 response and will return some JSON containing an access token and a refresh token. You use the access token to access the user's account and you use the refresh token to get a new access token (without requiring the user to log in again).
成功后,Passport 将返回 200 响应并返回一些包含访问令牌和刷新令牌的 JSON。您使用访问令牌访问用户的帐户,并使用刷新令牌获取新的访问令牌(无需用户再次登录)。
It is this access token that you need to provide as the Bearer in your Authorization header.
您需要在 Authorization 标头中提供此访问令牌作为 Bearer。
