- Can I use this package with Laravel 10 and PHP 8.2+ without compatibility issues?
- The package’s last release predates PHP 8.2, so you may encounter deprecation warnings or require manual adjustments. Test thoroughly with your stack, and consider forking or using a maintained alternative like `league/oauth2-server` if critical updates are needed. No native Laravel 10 support exists, so integration will require custom middleware or service providers.
- How do I store OAuth2 access tokens in Laravel’s database using Eloquent?
- The package doesn’t include built-in database abstraction, so you’ll need to create an `oauth_access_tokens` table and model manually. Define migrations for columns like `user_id`, `client_id`, `scopes`, and `expires_at`, then bind the model to the library’s storage layer. Example: `$server->setStorage(new EloquentTokenStorage(OAuthAccessToken::class));`
- Is this package suitable for replacing Laravel Passport in a multi-tenant API?
- Yes, this library supports multi-tenant authorization servers natively, unlike Passport’s single-tenant design. You’ll need to implement tenant-aware token validation and client storage, but its modularity makes it flexible for complex setups. Compare with `spatie/laravel-oauth-server` for Laravel-specific multi-tenancy features.
- Does this library support PKCE (Proof Key for Code Exchange) for SPAs or mobile apps?
- No, PKCE is not built into this package. You’ll need to implement it manually or use a wrapper like `league/oauth2-server`, which includes PKCE support. Without PKCE, your OAuth2 flows for SPAs or native apps are vulnerable to authorization code interception attacks.
- How do I integrate this with Laravel’s built-in Auth system (e.g., Auth::user())?
- The library doesn’t natively integrate with Laravel’s auth, so you’ll need to create custom middleware or guards to bridge OAuth identities with Laravel users. For example, validate tokens in middleware, then attach the user to the request manually. Use `Auth::loginUsingId($userId)` or session binding as needed.
- What are the security risks of using an outdated OAuth2 library in production?
- Outdated libraries may contain unpatched vulnerabilities (e.g., CVE-2023 in OAuth2 libraries). Run regular dependency audits with tools like `sensio-labs/security-checker` and monitor for PHP/OAuth2 RFC changes. Consider forking the repo or migrating to `league/oauth2-server` if security updates are critical.
- Can I use this package alongside Laravel Passport or Sanctum?
- Technically possible, but risky due to dependency conflicts (e.g., duplicate OAuth2 components). Isolate the packages in separate service containers or microservices, or choose one as your primary auth system. Avoid mixing unless you’re building a hybrid auth layer with clear boundaries.
- How do I add Redis caching for token validation performance?
- The library doesn’t include caching by default, but you can implement it by extending the storage layer. For example, cache token validation results in Redis using `Predis` or `Laravel Redis`, then bypass database checks for frequently accessed tokens. Measure performance gains before scaling.
- Are there Laravel-specific utilities (e.g., Artisan commands, config files) for this package?
- No, this is a Symfony-based library with no native Laravel integration. You’ll need to create your own Artisan commands, config files, and service providers. For example, publish a config file for OAuth2 settings or build a `php artisan oauth:generate:client` command for convenience.
- What’s the best alternative if I need OpenID Connect (OIDC) support in Laravel?
- For OIDC, use `league/oauth2-server` with the `league/oauth2-openid` extension or `knuckleswtf/vapor` (a Laravel-specific OIDC package). This library focuses on OAuth2 only, lacking OIDC features like ID tokens, userinfo endpoints, or dynamic client registration. Evaluate your needs carefully—OIDC adds complexity.