Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Passport
Assessments

Passport Laravel Package

laravel/passport

Laravel Passport provides a full OAuth2 server for Laravel, making API authentication simple with access tokens, personal access tokens, and client credentials. Officially maintained, with extensive docs and integrations for securing first- and third-party APIs.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

Laravel Passport is a native OAuth2 server implementation for Laravel, designed to integrate seamlessly with Laravel’s ecosystem (e.g., Eloquent, middleware, routing). It aligns well with:

  • API-first architectures requiring standardized authentication (e.g., REST, GraphQL, or microservices).
  • Headless authentication (compatible with Laravel Jetstream/Breeze for UI-agnostic auth).
  • Token-based security (JWT, access tokens, refresh tokens) with granular scope control.
  • Multi-tenant or B2B systems needing client credentials flow (machine-to-machine auth).

Key Strengths:

  • Standardized OAuth2 flows: Authorization code, client credentials, password, and implicit (deprecated) grants.
  • Token revocation & rotation: Built-in support for revoking tokens and managing refresh tokens.
  • Middleware integration: Native Laravel middleware (auth:api) for protecting routes.
  • Extensibility: Custom token generators, user providers, and client logic via hooks/events.

Potential Gaps:

  • No built-in OAuth2 client library: Requires pairing with libraries like guzzlehttp/oauth2-client for client-side flows.
  • Limited PKCE support: While supported, PKCE (Proof Key for Code Exchange) requires manual configuration for public clients.
  • State management: Authorization code flow relies on Laravel’s session; stateless setups need additional handling.

Integration Feasibility

Component Feasibility Notes
Laravel Core ✅ High Designed for Laravel; leverages Eloquent, events, and middleware.
Database ✅ High Uses oauth_clients, oauth_scopes, personal_access_tokens tables (migrations provided).
API Routes ✅ High Predefined OAuth2 endpoints (/oauth/token, /oauth/authorize).
Third-Party Clients ✅ Medium Requires client libraries (e.g., Postman, mobile apps) to interact with /oauth/token.
Existing Auth Systems ✅ Medium Can integrate with Laravel’s default auth (e.g., users table) or custom user providers.
Token Storage ✅ High Supports database-backed tokens (default) or custom storage (e.g., Redis).
Rate Limiting ⚠️ Manual Requires integration with Laravel’s rate-limiting middleware or third-party packages.

Critical Dependencies:

  • Laravel Framework: Minimum v10.x (v13.x of Passport supports Laravel 13).
  • PHP Extensions: bcmath, openssl, pdo_* (for database).
  • JWT Library: firebase/php-jwt (for token encoding/decoding).

Technical Risk

Risk Area Severity Mitigation Strategy
Token Leakage High Enforce HTTPS, use Passport::hashClientSecrets(), and rotate secrets regularly.
Client ID/Secret Collision High Avoid user IDs matching client IDs (fixed in v13.7.2); use UUIDs for clients.
Deprecated Flows Medium Avoid implicit grant; prefer authorization code + PKCE for SPAs.
Database Schema Changes Medium Review oauth_clients table changes in upgrade guides (e.g., UUIDs in v13.x).
Performance Medium Optimize token queries (e.g., index revoked column); cache client lookups.
Custom User Providers Medium Ensure findForPassport() is implemented correctly for non-standard user models.
Token Revocation Latency Low Use database transactions for revocation to avoid race conditions.

Security Considerations:

  • Client Secrets: Always hashed (since v13.x); never store plaintext.
  • Token Scopes: Enforce scope validation via middleware (e.g., Passport::scope()).
  • CORS: Configure trusted hosts for token issuance (Passport::tokensExpireIn()).
  • Logging: Audit token issuance/revocation (e.g., Laravel’s auth.log).

Key Questions for Stakeholders

  1. Authentication Flows:

    • Which OAuth2 flows are required? (e.g., authorization code for web, client credentials for APIs).
    • Will public clients (e.g., SPAs) need PKCE? If so, how will you handle state management?

  2. Token Strategy:

    • Should tokens be JWTs (stateless) or database-backed (stateful)?
    • What are the desired token lifetimes (e.g., access tokens: 1 hour, refresh tokens: 30 days)?

  3. User Model Integration:

    • Is the user model standard (id as primary key) or custom? If custom, how will findForPassport() work?
    • Will users have multiple roles/scopes? If so, how will scope resolution work?

  4. Client Management:

    • How will client credentials (IDs/secrets) be distributed and rotated?
    • Will clients be dynamic (e.g., created via API) or static?

  5. Compliance:

    • Are there regulatory requirements (e.g., GDPR for token revocation, SOC2 for logging)?
    • Will you need custom audit trails for OAuth events?

  6. Performance:

    • What are the expected API request volumes? (May require Redis for token storage.)
    • Are there plans for horizontal scaling? (Stateless tokens simplify this.)

  7. Migration:

    • Are you upgrading from an older Passport version or starting fresh?
    • Do you need to preserve existing tokens/clients during migration?

  8. Monitoring:

    • How will failed auth attempts or token abuses be monitored?
    • Will you integrate with SIEM tools (e.g., Splunk, Datadog)?

Integration Approach

Stack Fit

Laravel Passport is optimized for:

  • Laravel-based APIs: REST, GraphQL, or microservices.
  • Monolithic or modular architectures: Works with Laravel’s service containers and packages.
  • Hybrid auth systems: Can coexist with Laravel’s default auth (e.g., sessions for web, Passport for APIs).
  • Headless setups: Compatible with Laravel Jetstream/Breeze for UI-agnostic auth.

Compatibility Matrix:

Stack Component Compatibility Notes
Laravel Framework ✅ Full Native integration; no additional glue code needed.
Eloquent Models ✅ Full Uses Eloquent for Client, Token, and Scope models.
Laravel Middleware ✅ Full auth:api middleware for route protection.
Laravel Events ✅ Full Fires events like passport.token.created.
Laravel Queues ✅ Partial Token revocation can be queued for async processing.
Laravel Horizon ✅ Partial Useful for async token cleanup jobs.
Redis ✅ Partial Recommended for token storage in high-traffic systems.
Database (MySQL/PostgreSQL) ✅ Full Default storage; supports migrations.
JWT Libraries ✅ Full Uses firebase/php-jwt (v6+).
OAuth2 Client Libraries ⚠️ Manual Clients must use libraries like guzzlehttp/oauth2-client to interact with /oauth/token.
GraphQL ✅ Partial Works with Laravel GraphQL (e.g., laravel-graphql), but requires manual auth directive setup.
Vue/React (SPAs) ✅ Partial Needs PKCE for public clients; state management required for authorization code flow.

Migration Path

New Implementation

  1. Setup:

    • Install via Composer: composer require laravel/passport.
    • Publish migrations/config: php artisan passport:install.
    • Run migrations: php artisan migrate.
    • Hash client secrets: php artisan passport:hash.

  2. Configuration:

    • Configure config/auth.php to use passport guard for API routes.
    • Set token TTLs in config/auth.php (e.g., tokensExpireIn, refreshTokensExpireIn).
    • Define scopes in config/auth.php or dynamically via OAuthScopes.

  3. Routes:

    • Include Passport’s routes in routes/api.php: 
      Route::middleware('auth:api')->get('/user', function (Request $request
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium
sandermuller/package-boost-laravel
sandermuller/boost-skills
redaxo/core
yusufgenc/filament-api-forge
l3aro/rating-star-for-filament
leek/filament-subtenant-scope
anil/file-picker
broqit/fields-ai